In this series:

In the first part of this guide series I outlined the following objectives I’d try to cover:

  • Join Windows 10 Enterprise edition VM’s to Intune Standalone
  • Manage GPO like settings
  • Manage Software Updates
  • Deploy Software
  • Perform OSD using AutoPilot

In Part 4 I am going to turn away from the objectives and focus on setting up Intune to handle the managed Bring your own Device (BYOD) scenario for iOS and Android devices.

Once I am done with managed BYOD I’ll cover unmanaged BYOD, by far the most popular form of device managed for iOS and Android.

Ok. So once we’re worked through the long list of tasks ahead, what we’ll end up with is Intune configured for managed BYOD device management, devices will be enrolled (Workplace Joined) into Intune by a user and considered a personal device. We’ll protect the companies data across several managed applications and prohibit sharing of that data to unmanaged applications. We will also disable attempts to use legacy protocols and authentication such as ActiveSync from unmanaged applications. An immediate drawback for managed BYOD is that a device can only be enrolled into one tenant at a time, so most people are now turning to unmanaged BYOD, and doing away with any configuration of the device.

Key objectives would be:

  • Target iOS and Android devices
  • Enforce a password policy to protect the device
  • Protect company data on the supported devices
  • Block legacy authentication and ActiveSync on the devices
  • Control targeting to specific users (our test user)

Bare minimums for this guide would be:

  • Intune setup enough to get going
    • Follow some guides such as Intune Standalone–Part 1, note that the guide was written to get Intune running under evaluation with minimal configuration, you should get the DNS sorted
  • Licenses – Get trials, buy a cheap subscription, whatever you need to do get the following:
    • Office 365
    • Enterprise Mobility + Security
      • A test user should be added to the Intune Enrollment group
  • Apple MDM Push certificate configured
  • Managed Google Play linked to Intune
  • Device Enrollment restrictions set to allow iOS/iPadOS and Android Enterprise (work profile)
  • An AAD group (technically could be an AD group) for targeting these policies at

With Intune out-of-the-box there’s quite a lot of configuration needed to support the managed BYOD scenario, for iOS and Android devices we’re going to produce the following:

  1. An AAD Group for targeting of users and their iOS and Android devices
  2. Conditional Access – iOS & Android
  3. Conditional Access – iOS & Android – Block ActiveSync
  4. Conditional Access – iOS & Android – Block Legacy Auth
  5. Device Configuration – Android Enterprise Configuration Profile – Work Profile
  6. Device Configuration – iOS Configuration Profile – Device Restrictions
  7. Device Compliance – Android Device Policy – Enterprise – Work Profile
  8. Device Compliance – iOS Device Policy
  9. Approve multiple managed applications for iOS and Android
  10. App Configuration Policies – Android Enterprise – Microsoft Outlook
  11. App Configuration Policies – iOS – Microsoft Outlook
  12. App Protection Policies – Application policy for Android
  13. App Protection Policies – Application policy for iOS

Without much further ado let’s dive right in.

Azure Active Directory group

So that the configuration we’re about to create can be specifically targeted at test users we will create a security group in Azure.

Remember that this security group can be an AD group replicated up to Azure Active Directory via ADConnect; For this guide I will use an Azure Active Directory security group.

All the steps to be carried out are performed within the Azure Portal Portal.azure.com. The Device Management portal at devicemanagement.microsoft.com will do, things are a bit more organised there, easier to access, I’ll use it for the next guide on unmanaged BYOD.

  • Open the Azure Portal
  • Select Azure Active Directory, then Groups
  • Select New group
  • For Group type keep as or Select Security
  • For Group name enter Intune_Managed_Mobile
  • For Membership type keep as or Select Assigned
  • Finally select Create

Now add your test user to this group, making sure the user is a member of your Intune Enrollment group, and that the user also has an Office 365 license assigned.

And now the heavy-click-fest of rapid configuration of a lab environment, get ready, here comes the Conditional Access policies.

Conditional Access Policies

Let’s start with the configuration that can take the most time to become available, Conditional Access.

Changes here can take several minutes or hours to become active, note this when testing and making changes then a little while later making further changes due to lack of results.

We have three Conditional Access policies to build:

  • iOS & Android
    • Allows iOS and Android devices in if they are compliant (see our device compliance policies later in the guide) and using an approved managed application with modern authentication
  • iOS & Android – Block ActiveSync
    • Blocks legacy Exchange ActiveSync, this will stop all ActiveSync connections used in tandem with the policy below
  • iOS & Android – Block Legacy Auth
    • Blocks out legacy authentication using unmanaged applications without modern authentication, that’ll be the native email client on iOS and any installed non-managed email client on Android

Let’s start with the first.

CA – iOS & Android

  • Open the Azure Portal
  • Visit Microsoft Intune > Conditional Access
  • Select New Policy
  • For Name Enter CA – iOS & Android
  • Under Assignments Select Users and Groups
  • Select Select users and groups and tick Users and Groups
  • Select Select, find the Intune_Managed_Mobile group and select Select, Select Done
  • Select Cloud apps or actions
  • Select Select apps
  • Select Select and then find and select Office 365 (preview) (the name will most likely change over time …), select Select, select Done
  • Select Conditions
  • Select Device platforms
  • Select Yes to Apply policy to selected device platforms
  • Select Select device platforms and tick Android and iOS and then select Done
  • Select Client apps (Preview) (the name will most likely change …), select Yes to Configure and then tick Browser, Mobile apps and desktop clients, Modern authentication clients and Other clients, select Done, select Done
  • Under Access Controls select Grant
  • Select Grant Access and then tick Require device to be marked as compliant and Require approved client app, then select Select
  • Select On for Enable policy and then Select Create

For illustration purposes here’s what that new Conditional Access policy looks like:

Users and Groups

Cloud apps or actions

Conditions – Device platforms

Conditions – Client apps (Preview)

Access controls – Grant

And now onto the second Conditional Access policy.

iOS & Android – Block ActiveSync

  • Open the Azure Portal
  • Navigate to Microsoft Intune > Conditional Access
  • Select New policy
  • For Name Enter CA – iOS & Android – Block ActiveSync
  • Under Assignments Select Users and Groups
  • Select Select users and groups and tick Users and Groups
  • Select Select, find the Intune_Managed_Mobile group and select Select, Select Done
  • Select Cloud apps or actions
  • Select Select apps
  • Select Select and then find and select Office 365 (preview) (the name will most likely change over time …), select Select, select Done
  • Select Conditions
  • Select Device platforms
  • Select Yes to Apply policy to selected device platforms
  • Select Select device platforms and tick Android and iOS and then select Done
  • Select Client apps (Preview) (the name will most likely change …), select Yes to Configure and then tick Mobile apps and desktop clients, Exchange ActiveSync Clients and Apply policy only to supported platforms, select Done, select Done
  • Under Access Controls select Grant
  • Select Block Access and then select Select
  • Select On for Enable policy and then Select Create

 

For illustration purposes we will only note the variation from the Conditional Access policy screenshots above:

Conditions – Client apps (Preview)

Access controls – Grant

And now onto the third and final Conditional Access policy.

iOS & Android – Block Legacy Auth

  • Open the Azure Portal
  • Navigate to Microsoft Intune > Conditional Access
  • Select New policy
  • For Name Enter CA – iOS & Android – Block Legacy Auth
  • Under Assignments Select Users and Groups
  • Select Select users and groups and tick Users and Groups
  • Select Select, find the Intune_Managed_Mobile group and select Select, Select Done
  • Select Cloud apps or actions
  • Select Select apps
  • Select Select and then find and select Office 365 (preview) (the name will most likely change over time …), select Select, select Done
  • Select Conditions
  • Select Device platforms
  • Select Yes to Apply policy to selected device platforms
  • Select Select device platforms and tick Android and iOS and then select Done
  • Select Client apps (Preview) (the name will most likely change …), select Yes to Configure and then tick Mobile apps and desktop clients, Other clients, select Done, select Done
  • Under Access Controls select Grant
  • Select Block Access and then select Select
  • Select On for Enable policy and then Select Create

For illustration purposes we will only note the variation from the Conditional Access policy screenshots above:

Conditions – Client apps (Preview)

Access controls – Grant

We now have Conditional Access configured. No legacy authentication is allowed, managed application and modern authentication required.

Device Configuration Policies

Now we turn to the device configuration policies.

  • Device Configuration – Android Enterprise Configuration Profile – Work Profile
  • A configuration policy for both work profile and device restrictions
  • Device Configuration – iOS Configuration Profile – Device Restrictions
  • A configuration policy for device restrictions

Android Enterprise Configuration Profile – Work Profile

  • Open the Azure Portal
  • Navigate to Microsoft Intune > Device configuration > Profiles
  • Select Create profile
  • Name the policy Android Enterprise Configuration Profile – Work Profile
  • For Platform Select Android Enterprise
  • For Profile Type select from the Work Profile only section Device restrictions
  • Select Settings if necessary and then Select Work profile settings
  • Under General Settings for Copy and paste between work and personal profiles select Block
  • For Data sharing between work and personal profiles Select Prevent any sharing across boundaries
  • For Search work contacts from personal profile Select Block
  • Under Work Profile Password for Require Work Profile Password
  • For Minimum password length Enter 6 or a value of your choice for the length of the password or PIN as long as you make sure the compliance policy is also adjusted with any custom value you choose here
  • For Maximum minutes of inactivity until work profile locks select 5 Minutes or a value of your choice as long as you make sure the compliance policy is also adjusted with any custom value you choose here
  • For Required password type Select Device default and Select OK
  • Select Device password
  • For Minimum password length Enter 6
  • for Maximum minutes of inactivity until screen locks Select 5 Minutes
  • For Required password type Select Required and Select OK and OK again and finally select Save
  • Select Assignments, and for Assign to Select Selected Groups
  • Select Select groups to include, find the Intune_Managed_Mobile group and select Select and finally Save

For illustration purposes here’s what that new Android configuration policy looks like:

Work profile settings

Device password

iOS Configuration Profile – Device Restrictions

  • Open the Azure Portal
  • Navigate to Microsoft Intune > Device configuration > Profiles
  • Select Create profile
  • Name the policy Android Enterprise Configuration Profile – Work Profile
  • For Platform Select Android Enterprise
  • For Profile Type select from the Work Profile only section Device restrictions
  • Select Settings if necessary and then Select Work profile settings
  • Under General Settings for Copy and paste between work and personal profiles select Block
  • For Data sharing between work and personal profiles Select Prevent any sharing across boundaries
  • For Search work contacts from personal profile Select Block
  • Under Work Profile Password for Require Work Profile Password
  • For Minimum password length Enter 6 or a value of your choice for the length of the password or PIN as long as you make sure the compliance policy is also adjusted with any custom value you choose here
  • For Maximum minutes of inactivity until work profile locks select 5 Minutes or a value of your choice as long as you make sure the compliance policy is also adjusted with any custom value you choose here
  • For Required password type Select Device default and Select OK
  • Select Device password
  • For Minimum password length Enter 6
  • for Maximum minutes of inactivity until screen locks Select 5 Minutes
  • For Required password type Select Required and Select OK and OK again and finally select Save
  • Select Assignments, and for Assign to Select Selected Groups
  • Select Select groups to include, find the Intune_Managed_Mobile group and select Select and finally Save

For illustration purposes here’s what that new iOS configuration policy looks like:

Password

App store, Doc Viewing, Gaming

Cloud and Storage