At the University of Windsor, Microsoft Intune combined with Entra ID provides device and application administration, corporate data protection, identity management and directory services. This article covers the following topics:
Basic Concepts
Entra ID (formerly Azure Active Directory or AAD) is Microsoft's cloud-based identity and access management directory service, which allows users to sign in and access resources such as Microsoft 365 Apps, other applications like UWinsite Student and UWinsite Finance, and internal resources such as network printers and storage.
Intune is Microsoft’s Mobile Device Management (MDM) system that the University uses to administer University "corporate" and personal (BYOD) devices used by faculty, staff and students, including desktop/laptop computers (Windows 10 / macOS) and mobile devices (Android / iOS). In general, these devices will be administered with a “light touch” meaning that only minimal settings will be defined. In the case of classroom and lab computers, the administration will be “heavier” to ensure a consistent and secure environment for shared computers. On personal devices used for work or school ("Bring your Own Device" or BYOD), only University apps and data will be administered. See Privacy section below for more details.
Privacy
When a device is under device administration, some information about the device and its registered user is shared with the University of Windsor ("the organization"). The organization will “trust” the device and its users with access to protected data, so this information is essential. The following table describes what information MDM administrators in IT Services can access.
Never
|
Always
|
Maybe
|
- Calling and web browsing history
- E-mail and text messages
- Contacts
- Calendar
- Passwords
- Pictures, including what's in the photos app or camera roll
- Files
|
- Device model, like OptiPlex 790
- Device manufacturer, like Dell
- Operating system and version, like Windows 10 build 10.0.19043.1288
- App names, like Microsoft Word: On personal BYOD devices, your organization can only see your administered University apps inventory, not your personal apps. On University devices, your organization can see all of your app inventory.
- Device owner
- Device name
- Device serial number
- IMEI
|
- Phone number: For University devices, your full phone number can be seen. For personal BYOD devices, just the last four digits of your phone number are visible to your organization.
- Device storage space
- Location: Your organization can never see your device's location, unless you need to recover a lost, supervised iOS device.
- Network information. (policy activated)
|
Enrolling Your Devices
Devices that are joined to or registered in Entra ID are also automatically enrolled in the Intune device management system. AAD joined devices are classified as corporate and AAD-registered devices are classified as personal (BYOD) in the context of device management.
Registered Devices
When user connects their “work or school account” on their device, it is registered in Entra ID and enrolled in Intune, as long as the box next to "Allow my organization to manage this device" remains checked during the enrollment process. This can happen in a three different ways:
- automatically when user installs Microsoft 365 Apps (formerly Office 365) from portal.office.com, or
- manually through Windows Settings (Accounts - Access work or school - Connect), or
- through the Company Portal app.
When a device is registered, it is automatically classified as personal. Only University data and apps are being managed on personal devices, and very little information about the device is collected and stored in Azure AD.
Joined Devices
When a Windows 10/11 device is joined to Entra ID as a corporate device, it can be fully managed by the organization. This will allow users of the device to use Single Sign-On (SSO) features, and it also provides a place for them to securely store their BitLocker device encryption key. Only devices used exclusively for University business should be joined to Entra ID. Personal devices used for work (e.g. family home computers) and student-owned computers used to access University systems and data (BYOD) should be registered with Entra ID instead.
Corporate Windows 10/11 devices can be joined to Entra ID by an IT technician or by the user in two different ways:
- manually through Windows Settings (Accounts - Access work or school - Connect - Join to Entra ID), or
- automatically during the out-of-the-box (OOBE) initial setup of Windows 10/11.
Administering Your Devices
You can see and manage all of your enrolled administered devices using the Company Portal app that gets installed automatically on every Entra ID joined Windows 10/11 computer, or manually during enrollment on macOS computers and mobile iOS/iPadOS/Android devices. There is also a web version of this app available at portal.manage.microsoft.com This app allows you to:
- See all of your University administered devices
- Give user-friendly display names to your administered devices
- Install additional apps on your administered devices
- Check if your administered devices meet minimum requirements (device compliance) for full access to University apps, systems and data (conditional access)
- Initiate device check-in to update and re-evaluate device compliance policies
- Reset your device PIN, if enabled.
- Reset your device operating system back to factory settings and wipe all apps and data in the event device is lost or stolen.
In addition, you can use myprofile.microsoft.com (or myaccount.microsoft.com) website to manage your Microsoft work or school security settings for MFA, and it also provides a list of enrolled devices and encryption keys. You can disable lost devices, see the log of their sign-ins, remotely sign out from all devices, view your enterprise apps, and a list of groups you belong to.
Frequently Asked Questions
Why am I being prompted to enroll my personal smartphone when trying to use Microsoft Teams, Outlook or Authenticator app on it?
Compliance policies are assigned to all administered devices and are used to determine if the device is "compliant" with minimum requirements as defined in the assigned compliance policy. Personal devices that have University apps installed on them have to meet the same minimum requirements as University-owned devices in order to retain access to University apps, systems and data. Being enrolled in Intune is one of the requirements for the device to be deemed as compliant. Therefore, if you are using your personal smartphone for work, your device has to be enrolled in Intune so that its compliance can be evaluated.