MDM and MAM scopes - Considerations for pilot groups, BYOD and Company Wide enrolling



Consider locking down the MDM and MAM scope -

MDM - set to groups
- DEM users (the Device Enrollment Managers that are pre-building and deploying devices)
- Windows 10 Corporate users (Recipients of corporate Windows 10 devices to allow Autopilot).






Select - Microsoft Intune -


MDM user scope - Select - Some
Select - No groups selected


Select the user group(s) that will be allowed to auto-enroll devices (for Autopilot)
Note that in this test, I have added the DEM accounts (Device Enrollment Managers) in the group - AAD_Sec_User_Windows10_Corporate
Click - Select


Save


=======================================================================

Testing -
User04 - is a member of group - AAD_Sec_User_Windows10_Corporate
User06 - not a member of group - AAD_Sec_User_Windows10_Corporate

User04 - is a member of the group
Auto-pilot process kicks off as expected


Autopilot process also kicks off for the DEM account as it is also a member of the group

The machine has been enrolled and applications deployed




User06 - not a member
User can log on, but no apps are deployed and the device is not enrolled in Azure AD
Device is literally a Windows device with no Company Apps or policies applied.
User is NOT a local admin of the device


==========================================================================

BYOD -

Process -
Restrict MAM enrollment to only the group - AAD_Sec_User_Windows10_BYOD
Users log into their device with a Microsoft account (@outlook.com, etc)
Users register device with Company Portal app from the Microsoft Store


Use the group - AAD_Sec_User_Windows10_BYOD
Allow users in this group to Register for MAM

Three test users
- Not a member of the MAM group AAD_Sec_User_Windows10_BYOD
- Is a member of the MAM group AAD_Sec_User_Windows10_BYOD
- Is a member of the both the MAM group and the MDM group AAD_Sec_User_Windows10_BYOD and AAD_Sec_User_Windows10_Corporate

Users -
BYOD.yes - AAD_Sec_User_Windows10_BYOD




BYOD.no -




BYOD.Both - AAD_Sec_User_Windows10_BYOD -    AAD_Sec_User_Windows10_Corporate


Update the MAM scope -
MAM now only has one group - AAD_Sec_User_Windows10_BYOD


====================================================================

Updated Microsoft 365 Apps -
Added the group - AAD_Sec_User_Windows10_BYOD to the Available for enrolled devices.



Updated to show in the Company Portal.



Testing


byod.no - Azure AD registered (not managed)
Settings - Account - Access work or school - Connect - Corp email address
Configure Windows 10 Mail app
Install Office Apps for Enterprise
Activate Word - Sign out with the personal email - Sign in with the corporate email
Configure Outlook.
Configure OneDrive for Business

Company Portal - Azure AD registered (not managed)
Allow my organization to manage my device - Yes  (Default) -
Terms and Conditions -
Outlook -















byod.no
Access Company Email via Outlook
Access Company Email via the Mail app






byod.yes
Login with Outlook account
Register via Company Portal













byod.both
Login with Outlook account
Register via Company Portal



























 

No comments:

Post a Comment