Consider locking down the MDM and MAM scope -
MDM - set to groups
- DEM users (the Device Enrollment Managers that are pre-building and deploying devices)
- Windows 10 Corporate users (Recipients of corporate Windows 10 devices to allow Autopilot).
Select - Microsoft Intune -
MDM user scope - Select - Some
Select - No groups selected
Select the user group(s) that will be allowed to auto-enroll devices (for Autopilot)
Note that in this test, I have added the DEM accounts (Device Enrollment Managers) in the group - AAD_Sec_User_Windows10_Corporate
Click - Select
Save
=======================================================================
Testing -
User04 - is a member of group - AAD_Sec_User_Windows10_Corporate
User06 - not a member of group - AAD_Sec_User_Windows10_Corporate
User04 - is a member of the group
Auto-pilot process kicks off as expected
Autopilot process also kicks off for the DEM account as it is also a member of the group
The machine has been enrolled and applications deployed
User06 - not a member
User can log on, but no apps are deployed and the device is not enrolled in Azure AD
Device is literally a Windows device with no Company Apps or policies applied.
User is NOT a local admin of the device
==========================================================================
BYOD -
Process -
Restrict MAM enrollment to only the group - AAD_Sec_User_Windows10_BYOD
Users log into their device with a Microsoft account (@outlook.com, etc)
Users register device with Company Portal app from the Microsoft Store
Use the group - AAD_Sec_User_Windows10_BYOD
Allow users in this group to Register for MAM
Three test users
- Not a member of the MAM group AAD_Sec_User_Windows10_BYOD
- Is a member of the MAM group AAD_Sec_User_Windows10_BYOD
- Is a member of the both the MAM group and the MDM group AAD_Sec_User_Windows10_BYOD and AAD_Sec_User_Windows10_Corporate
Users -
BYOD.yes - AAD_Sec_User_Windows10_BYOD
BYOD.no -
BYOD.Both - AAD_Sec_User_Windows10_BYOD - AAD_Sec_User_Windows10_Corporate
Update the MAM scope -
MAM now only has one group - AAD_Sec_User_Windows10_BYOD
====================================================================
Updated Microsoft 365 Apps -
Added the group - AAD_Sec_User_Windows10_BYOD to the Available for enrolled devices.
Updated to show in the Company Portal.
Testing
byod.no - Azure AD registered (not managed)
Settings - Account - Access work or school - Connect - Corp email address
Configure Windows 10 Mail app
Install Office Apps for Enterprise
Activate Word - Sign out with the personal email - Sign in with the corporate email
Configure Outlook.
Configure OneDrive for Business
Company Portal - Azure AD registered (not managed)
Allow my organization to manage my device - Yes (Default) -
Terms and Conditions -
Outlook -
byod.no
Access Company Email via Outlook
Access Company Email via the Mail app
byod.yes
Login with Outlook account
Register via Company Portal
byod.both
Login with Outlook account
Register via Company Portal
MDM and MAM scopes - Considerations for pilot groups, BYOD and Company Wide enrolling
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment