Device Management Basics for Users

Tags intune mdm

At the University of Windsor, Intune combined with Azure AD provides device and application management, corporate data protection, identity management and directory services.

Azure Active Directory (Azure AD or AAD) is Microsoft's cloud-based identity and access management directory service, which allows users to sign in and access resources such as Microsoft 365 Apps, other applications like UWinsite Student and UWinsite Finance, and internal resources such as network printers and storage. 

Intune is Microsoft’s Mobile Device Management (MDM) system that the University uses to manage University-owned (corporate) and personal (BYOD) devices used by faculty, staff and students, including desktop/laptop computers (Windows 10 / macOS) and mobile devices (Android / iOS). In general, these devices will be managed with a “light touch” meaning that only minimal settings will be defined. In the case of classroom and lab computers, management will be “heavier” to ensure a consistent and secure environment for shared computers. On personal devices used for work or school ("Bring your Own Device" or BYOD), only University apps and data will be managed (see Privacy section below for more details).

This article covers the following topics:

 

Privacy

When a device is under device management, some information about the device and its registered user is shared with the University of Windsor ("the organization"). The organization will “trust” the device and its users with access to protected data, so this information is essential. The following table describes what information MDM administrators in IT Services can access.

Never

Always

Maybe

  • Calling and web browsing history
  • E-mail and text messages
  • Contacts
  • Calendar
  • Passwords
  • Pictures, including what's in the photos app or camera roll
  • Files
  • Device model, like OptiPlex 790
  • Device manufacturer, like Dell
  • Operating system and version, like Windows 10 build 10.0.19043.1288
  • App names, like Microsoft Word: On personal BYOD devices, your organization can only see your managed University apps inventory, not your personal apps. On corporate-owned devices, your organization can see all of your app inventory.
  • Device owner
  • Device name
  • Device serial number
  • IMEI
  • Phone number: For corporate-owned devices, your full phone number can be seen. For personal BYOD devices, just the last four digits of your phone number are visible to your organization.
  • Device storage space
  • Location: Your organization can never see your device's location, unless you need to recover a lost, supervised iOS device.
  • Network information. (policy activated)

Enrolling your devices

Devices that are joined to or registered in Azure AD are also automatically enrolled in the Intune device management system. AAD joined devices are classified as corporate and AAD registered devices are classified as personal (BYOD) in the context of device management.

When a user connects their “work or school account” on their device, it is registered in Azure AD and enrolled in Intune. This can happen in a three different ways:

  • automatically when user installs Microsoft 365 Apps (formerly Office 365) from portal.office.com, or
  • manually through Windows Settings (Accounts - Access work or school - Connect), or 
  • through the Company Portal app. When a device is registered, only University data and apps are being managed, and very little information about the device is collected and stored in Azure AD.

When a Windows 10/11 device is joined to Azure AD as a corporate device, it can be fully managed by the organization. This will allow users of the device to use Single Sign-On (SSO) features, and it also provides a place for them to security store their BitLocker device encryption key. Only devices used exclusively for University business should be joined to Azure AD. Personal devices used for work (e.g. family home computers) and student owned computers used to access University systems and data (BYOD) should be registered with Azure AD instead.

Corporate Windows 10/11 devices can be joined to AAD by an IT technician or by the user in two different ways:

  • manually through Windows Settings (Accounts - Access work or school - Connect - Join to Azure AD), or
  • automatically during the out-of-the-box (OOBE) initial setup of Windows 10/11.

Managing your devices and data

You can see and manage all of your enrolled managed devices using the Company Portal app that gets installed automatically on every Azure AD joined Windows 10/11 computer, or manually during enrollment on macOS computers and mobile iOS/iPadOS/Android devices. There is also a web version of this app available at portal.manage.microsoft.com This app allows you to:

  • See all of your managed devices
  • Give user friendly display names to your managed devices
  • Install additional apps on your managed devices
  • Check if you managed devices meet meet minimum requirements (device compliance) for full access to University apps, systems and data (conditional access)
  • Initiate device check-in to update and re-evaluate device compliance policies
  • Reset your device PIN, if enabled.
  • Reset your device operating system back to factory settings and wipe all apps and data in the event device is lost or stolen.

There are two additional portals that you can use to manage your data and apps:

myprofile.microsoft.com is the site where users can manage their security settings for MFA, and it also provides a list of enrolled devices and encryption keys.  Users can disable lost devices at this web site, see the log of their sign-ins, remotely sign out from all devices, view their enterprise apps, and a list of groups they belong to.

educationstore.microsoft.com is the education version of Microsoft Store. When people login with their UWin account, they can access software that we have made available to them in the “private store” by clicking on the University of Windsor tab. Access will work for both corporate and personal (BYOD) devices, although this service is geared towards devices that are not enrolled in Intune.