Device Administration Basics for Users

Tags intune mdm

At the University of Windsor, Intune combined with Azure AD provides device and application administration, corporate data protection, identity management and directory services. This article covers the following topics:

Basic Concepts

Azure Active Directory (Azure AD or AAD) is Microsoft's cloud-based identity and access management directory service, which allows users to sign in and access resources such as Microsoft 365 Apps, other applications like UWinsite Student and UWinsite Finance, and internal resources such as network printers and storage. 

Intune is Microsoft’s Mobile Device Management (MDM) system that the University uses to administer University-owned "corporate" and personal (BYOD) devices used by faculty, staff and students, including desktop/laptop computers (Windows 10 / macOS) and mobile devices (Android / iOS). In general, these devices will be administered with a “light touch” meaning that only minimal settings will be defined. In the case of classroom and lab computers, the administration will be “heavier” to ensure a consistent and secure environment for shared computers. On personal devices used for work or school ("Bring your Own Device" or BYOD), only University apps and data will be administered. See Privacy section below for more details.

 

Privacy

When a device is under device administration, some information about the device and its registered user is shared with the University of Windsor ("the organization"). The organization will “trust” the device and its users with access to protected data, so this information is essential. The following table describes what information MDM administrators in IT Services can access.

Never

Always

Maybe
  • Calling and web browsing history
  • E-mail and text messages
  • Contacts
  • Calendar
  • Passwords
  • Pictures, including what's in the photos app or camera roll
  • Files
  • Device model, like OptiPlex 790
  • Device manufacturer, like Dell
  • Operating system and version, like Windows 10 build 10.0.19043.1288
  • App names, like Microsoft Word: On personal BYOD devices, your organization can only see your administered University apps inventory, not your personal apps. On corporate-owned devices, your organization can see all of your app inventory.
  • Device owner
  • Device name
  • Device serial number
  • IMEI
  • Phone number: For corporate-owned devices, your full phone number can be seen. For personal BYOD devices, just the last four digits of your phone number are visible to your organization.
  • Device storage space
  • Location: Your organization can never see your device's location, unless you need to recover a lost, supervised iOS device.
  • Network information. (policy activated)

Enrolling Your Devices

Devices that are joined to or registered in Azure AD are also automatically enrolled in the Intune device management system. AAD joined devices are classified as corporate and AAD-registered devices are classified as personal (BYOD) in the context of device management.

Registered Devices

When user connects their “work or school account” on their device, it is registered in Azure AD and enrolled in Intune, as long as the box next to "Allow my organization to manage this device" remains checked during the enrollment process. This can happen in a three different ways:

  • automatically when user installs Microsoft 365 Apps (formerly Office 365) from portal.office.com, or
  • manually through Windows Settings (Accounts - Access work or school - Connect), or 
  • through the Company Portal app.

When a device is registered, it is automatically classified as personal. Only University data and apps are being managed on personal devices, and very little information about the device is collected and stored in Azure AD.

Joined Devices

When a Windows 10/11 device is joined to Azure AD as a corporate device, it can be fully managed by the organization. This will allow users of the device to use Single Sign-On (SSO) features, and it also provides a place for them to securely store their BitLocker device encryption key. Only devices used exclusively for University business should be joined to Azure AD. Personal devices used for work (e.g. family home computers) and student-owned computers used to access University systems and data (BYOD) should be registered with Azure AD instead.

Corporate Windows 10/11 devices can be joined to AAD by an IT technician or by the user in two different ways:

  • manually through Windows Settings (Accounts - Access work or school - Connect - Join to Azure AD), or
  • automatically during the out-of-the-box (OOBE) initial setup of Windows 10/11.

Administering Your Devices

You can see and manage all of your enrolled administered devices using the Company Portal app that gets installed automatically on every Azure AD joined Windows 10/11 computer, or manually during enrollment on macOS computers and mobile iOS/iPadOS/Android devices. There is also a web version of this app available at portal.manage.microsoft.com This app allows you to:

  • See all of your University administered devices
  • Give user-friendly display names to your administered devices
  • Install additional apps on your administered devices
  • Check if your administered devices meet minimum requirements (device compliance) for full access to University apps, systems and data (conditional access)
  • Initiate device check-in to update and re-evaluate device compliance policies
  • Reset your device PIN, if enabled.
  • Reset your device operating system back to factory settings and wipe all apps and data in the event device is lost or stolen.

In addition, you can use myprofile.microsoft.com (or myaccount.microsoft.com) website to manage your Microsoft work or school security settings for MFA, and it also provides a list of enrolled devices and encryption keys.  You can disable lost devices, see the log of their sign-ins, remotely sign out from all devices, view your enterprise apps, and a list of groups you belong to.

Frequently Asked Questions

Why am I being prompted to enroll my personal smartphone when trying to use Microsoft Teams, Outlook or Authenticator app on it?

This happens if you agreed to participate in device compliance conditional access pilot. Compliance policies are assigned to all administered devices and are used to determine if the device is "compliant" with minimum requirements as defined in the assigned compliance policy. Personal devices that have University apps installed on them have to meet the same minimum requirements as corporate devices in order to retain access to University apps, systems and data. Being enrolled in Intune is one of the requirements for the device to be deemed as compliant. Therefore, if you are using your personal smartphone for work, your device has to be enrolled in Intune so that its compliance can be evaluated. As of Q4 2023, device compliance conditional access will be enforced on all employee accounts.  

 

Details

Article ID: 99410
Created
Thu 2/27/20 1:51 PM
Modified
Sat 5/20/23 5:06 PM

Related Articles (8)

Device Compliance - Mac
In order for your macOS computer to be deemed as compliant, it must meet a number of requirements. Non-compliant devices will not be able to access some of the resources and systems.
Device Compliance - Windows
In order for your work computer to be deemed as compliant, it must meet a number of requirements. Non-compliant devices will not be able to access some of the resources and systems starting in Q4 of 2023.
Enrolling macOS workstation in Intune using the Company Portal app
This article describes how to use the Company Portal app for macOS to enroll their work or BYOD devices themselves through the Company Portal app.
Enrolling user-owned (BYOD) Windows computer in Intune
In the summer of 2018, University adopted Microsoft Azure Active Directory (AAD) and Intune as a new platform for the management of computers and mobile devices. This article provides you with step-by-step instructions on how to register your personal (non-University owned) Windows 10/11 PC with University of Windsor Azure Active Directory and enroll it in Intune device management.
Known issue: "Your organization doesn't allow you to download, print, or sync using this device."
When accessing OneDrive or other Microsoft 365 Apps in a browser you may see a message displayed on the top of the browser window that says "Your organization doesn't allow you to download, print, or sync using this device (...) This can happen for three different reasons
Known Issue: Unable to see any apps on Company Portal
If you see a message "Your company hasn't made any apps available to you on this device" or "You don't have any apps yet" it means that your computer does not meet minimum requirements as defined in the device compliance policy (i.e. your device is not compliant).
Microsoft Company Portal
Microsoft Company Portal is an app that faculty and staff at the University of Windsor use to manage their workstations.
Software management on University macOS workstations
This article focuses on remote software management on University-owned "corporate" macOS workstations that are enrolled in Intune which allows us to remotely install Intune-managed client apps. Several apps are installed automatically enrolling Mac in Intune. Users of primary-user workstation can use Company Portal to install additional apps on demand.

Related Services / Offerings (1)

Software Depot
IT Services uses the Software Depot website to resell IBM SPSS / AMOS 28 to students.