This step by step tutorial will take you through how to design and create device categories, device and user groups for Intune / Endpoint Manager.
This is Part 6 of a 13 part series.
=====================================================================
Welcome to part 6 of my thirteen part series of tutorials taking you step by step on how to configure Microsoft Endpoint Manager / Intune, from initial DNS config up to Autopilot and application deployment. This series gives you all the knowledge you need for you to successfully deploy a basic Intune / Endpoint Manager environment.
Initial Tenant and Intune Configuration
1. Configure DNS and CNAME - Link
2. Company Branding - Self Service Password Reset (SSPR) - Enable Enterprise State Roaming - Link
3. Enable Conditional Access and MFA (Multi factor authentication) - Link - This Article
4. Configure Conditional Access Terms of Use - Link
5. Company Terms and Conditions - Link
6. User and Device Groups, and Device Categories - Link - This Tutorial
7. Set-up Autopilot profile and configure MAM and MDM scope for automatic enrollment - Link
7a. More information regarding options for configuring the MDM and MAM user scopes - Link
8. Enrollment Status Page - Link
9. Enrollment Restrictions - Link
10. Deploying Microsoft 365 apps (Office apps) - Link
11. Enable Microsoft Store for Business and publish the Company Portal app - Link
12. Assign Company Portal app - Link
13. Test autopilot via register online - Link
If you don't have a test environment for Intune / Endpoint Manager, just follow this guide on
How to get a Free Developer Tenant with 25 x E5 licenses and a free Top Level domain name - Link
======================================================================
Solution overview -
We will be creating six device categories to enable users to enroll their own device.
Users select their device category while enrolling their device via the Company Portal app.
For autopiloted devices, this app will be deployed to all corporate Windows devices, and the recipient of a corporate device will select the device category as part of their receipt and process. Enrollment for BYOD devices as well as corporate devices will also include the process of enrollment via the Company Portal.
The six device categories we will be creating are -
Applications, Configuration Profiles, Compliance Policies and Scripts will still be targeted to user groups and device groups.
Device Categories do not apply apps, profiles and policies - The associated dynamic device group does.
Device Categories are used to categorise devices to make it logical for users and administration.
The dynamic device group that is associated with the device category is used to assign profiles, applications, scripts and policies.
For this reason, it is critical to understand that if the end user enrolls their device and selects the incorrect device category, the device will receive the apps, profiles, policies and scripts assigned to the device category they chose incorrectly, not the ones they should be receiving if they chose the correct device category.
If a user selects the wrong device category, or fails to choose a device category at all, an Intune administrator can update it in the Endpoint Manager portal. Updating via the portal will update the device's membership to the underlying dynamic device group.
This process is detailed at the end of this tutorial.
Creating groups.
We will be creating two groups for each of the device categories.
- Dynamic Device Group that is associated with each device category
- Standard Azure AD group to manually add users to ensure users get apps, scripts, policies and profiles.
Groups can be created via the GUI or by PowerShell.
===============================================================
As an overview, we will be creating the following Device Categories, user and device groups
Windows 10 Corporate - (Device Category)
AAD_Sec_Device_Category_Windows10_Corporate
AAD_Sec_User_Windows10_Corporate
Windows 10 BYOD - (Device Category)
AAD_Sec_Device_Category_Windows10_BYOD
AAD_Sec_User_Windows10_BYOD
Android Corporate - (Device Category)
AAD_Sec_Device_Category_Android_Corporate
AAD_Sec_User_Android_Corporate
Android BYOD - (Device Category)
AAD_Sec_Device_Category_Android_BYOD
AAD_Sec_User_Android_BYOD
iOS Corporate - (Device Category)
AAD_Sec_Device_Category_iOS_Corporate
AAD_Sec_User_iOS_Corporate
iOS BYOD - (Device Category)
AAD_Sec_Device_Category_iOS_BYOD
AAD_Sec_User_iOS_BYOD
======================================================================
Before creating the groups, we need to create the device categories
Create the device categories -
Devices - Device Categories (scroll down to the bottom)
Create device category -
Name - Windows 10 Corporate - Next
Scope tags - None -
Next
Create -
The category will be created -
Create all Device Categories -
Windows 10 Corporate
Windows 10 BYOD
Android Corporate
Android BYOD
iOS Corporate
iOS BYOD
=================================================================
Creating the dynamic device groups associated with the Device Categories -
Important -
When creating the dynamic device groups for the Device Categories, the text must match perfectly or the process will not work. When creating via PowerShell or via the GUI, copy and pasting the name of the category will ensure the name is correct.
This next section shows how to create dynamic device groups via the portal.
If you want to create the groups via PowerShell, scroll down past this section.
Creating the dynamic device group via the GUI -
Endpoint Manager - Groups - New Group
Group type - Security
Group Name - AAD_Sec_Device_Category_Windows10_Corporate
Group Description - Device Category group for Windows 10 Corporate
Membership type - Dynamic Device -
Adding the dynamic query -
Select - add dynamic query
Select - Edit -
Enter the following text - YOU MUST USE BRACKETS !
(device.deviceCategory -eq "Windows 10 Corporate")
Note - ensure the text highlighted in red perfectly matches the NAME of the device category.
The rule syntax is now updated -
Save
Create -
Group is now created
Create the other dynamic device groups ensuring the rule syntaxes matches each device category name
Windows 10 Corporate
Windows 10 BYOD
Android Corporate
Android BYOD
iOS Corporate
iOS BYOD
=======================================================================
Creating the Azure AD groups via PowerShell
Install the Azure AD PowerShell module - Link
PowerShell as admin
Install-Module -Name AzureAD
Connect to Azure AD via PowerShell - Link -
Connect-AzureAD
Script to create the non-dynamic user groups via PowerShell
New-AzureADGroup -DisplayName "AAD_Sec_User_Windows10_Corporate" -MailEnabled $false -SecurityEnabled $true -MailNickName "NotSet"
New-AzureADGroup -DisplayName "AAD_Sec_User_Windows10_BYOD" -MailEnabled $false -SecurityEnabled $true -MailNickName "NotSet"
New-AzureADGroup -DisplayName "AAD_Sec_User_Android_Corporate" -MailEnabled $false -SecurityEnabled $true -MailNickName "NotSet"
New-AzureADGroup -DisplayName "AAD_Sec_User_Android_BYOD" -MailEnabled $false -SecurityEnabled $true -MailNickName "NotSet"
New-AzureADGroup -DisplayName "AAD_Sec_User_iOS_Corporate" -MailEnabled $false -SecurityEnabled $true -MailNickName "NotSet"
New-AzureADGroup -DisplayName "AAD_Sec_User_iOS_BYOD" -MailEnabled $false -SecurityEnabled $true -MailNickName "NotSet"
The non-dynamic user groups have been created -
======================================================================
Creating the dynamic device groups for the Device Categories via PowerShell
As of 4 April 2021 - you need to uninstall the module AzureAD and force install the AzureADPreview module - Link
PowerShell admin -
Uninstall-Module -Name AzureAD
Install-Module -Name AzureADPreview -force
Connect to Azure AD
Connect-AzureAD
New-AzureADMSGroup -DisplayName "AAD_Sec_Device_Category_Windows10_Corporate" -Description "Device Category group for Windows 10 Corporate" -MailEnabled $False -MailNickName "group" -SecurityEnabled $True -GroupTypes "DynamicMembership" -MembershipRule "(device.deviceCategory -eq ""Windows 10 Corporate"")" -MembershipRuleProcessingState "On"
New-AzureADMSGroup -DisplayName "AAD_Sec_Device_Category_Windows10_BYOD" -Description "Device Category group for Windows 10 BYOD" -MailEnabled $False -MailNickName "group" -SecurityEnabled $True -GroupTypes "DynamicMembership" -MembershipRule "(device.deviceCategory -eq ""Windows 10 BYOD"")" -MembershipRuleProcessingState "On"
New-AzureADMSGroup -DisplayName "AAD_Sec_Device_Category_Android_Corporate" -Description "Device Category group for Android Corporate" -MailEnabled $False -MailNickName "group" -SecurityEnabled $True -GroupTypes "DynamicMembership" -MembershipRule "(device.deviceCategory -eq ""Android Corporate"")" -MembershipRuleProcessingState "On"
New-AzureADMSGroup -DisplayName "AAD_Sec_Device_Category_Android_BYOD" -Description "Device Category group for Android BYOD" -MailEnabled $False -MailNickName "group" -SecurityEnabled $True -GroupTypes "DynamicMembership" -MembershipRule "(device.deviceCategory -eq ""Android BYOD"")" -MembershipRuleProcessingState "On"
New-AzureADMSGroup -DisplayName "AAD_Sec_Device_Category_iOS_Corporate" -Description "Device Category group for iOS Corporate" -MailEnabled $False -MailNickName "group" -SecurityEnabled $True -GroupTypes "DynamicMembership" -MembershipRule "(device.deviceCategory -eq ""iOS Corporate"")" -MembershipRuleProcessingState "On"
New-AzureADMSGroup -DisplayName "AAD_Sec_Device_Category_iOS_BYOD" -Description "Device Category group for iOS BYOD" -MailEnabled $False -MailNickName "group" -SecurityEnabled $True -GroupTypes "DynamicMembership" -MembershipRule "(device.deviceCategory -eq ""iOS BYOD"")" -MembershipRuleProcessingState "On"
The groups have now been created -
Confirm creation is correct -
Properties - should show Membership type as Dynamic Device
Check the Dynamic membership rules are correct.
=====================================================================
To manage autopilot devices, it is important to create a dynamic device group targeting these devices.
Resource - Link
In PowerShell, run the following script to create the dynamic device group.
Create the Dynamic Device group for Autopilot devices
New-AzureADMSGroup -DisplayName "AAD_Sec_Device_AutopilotDevices" -Description "Autopilot Devices" -MailEnabled $False -MailNickName "group" -SecurityEnabled $True -GroupTypes "DynamicMembership" -MembershipRule '(device.devicePhysicalIDs -any _ -contains "[ZTDId]")' -MembershipRuleProcessingState "On"
The group will be created.
This group will targeted when creating the Enrollment Status Page in the next tutorial.
=====================================================================
Updating the device category via Endpoint Manager.
To set or update the device category of an individual device - (this works for all device types, including iOS and Android)
Endpoint Manager - Devices - All devices - Select the device
Select - Properties
Select the drop down box -
Select the correct device category
Click - Save
After about ten or twenty minutes, you can check and confirm that the device has now changed membership of the underlying dynamic device group.
===============================================================
Check out all my tutorials - Link
Highlights include -
13 part series on how to perform the initial Tenant and Intune Configuration - Link
1. Configure DNS and CNAME
2. Company Branding - Self Service Password Reset (SSPR) - Enable Enterprise State Roaming
3. Enable Conditional Access and MFA (Multi factor authentication)
4. Configure Conditional Access Terms of Use
5. Company Terms and Conditions
6. User and Device Groups, and Device Categories
7. Set-up Autopilot profile and configure MAM and MDM scope for automatic enrollment
7a. More information regarding options for configuring the MDM and MAM user scopes
8. Enrollment Status Page
9. Enrollment Restrictions
10. Deploying Microsoft 365 apps (Office apps)
11. Enable Microsoft Store for Business and publish the Company Portal app
12. Assign Company Portal app
13. Test autopilot via register online
===============================================================
About the author -
Terry Munro is an IT specialist based in Brisbane, Australia.
He draws upon over 20 years experience designing and delivering technical solutions to a variety of enterprise clients in the private, Government and Education sectors, to revolutionise client businesses through collaboration and getting the most value from a variety of cloud solutions.
He is passionate about learning new technologies and is a firm believer in sharing knowledge to provide a better experience for all.
You can connect with Terry
LinkedIn - https://www.linkedin.com/in/terry-munro/
Facebook - @IntuneAdmin - https://www.facebook.com/IntuneAdmin/
Facebook Community Group - https://www.facebook.com/groups/intuneadmin/
GitHub Repository - https://github.com/TeamTerry
No comments:
Post a Comment