A few weeks after the Windows 10 launch, Microsoft has enabled a new automatic mobile device management (MDM) enrollment feature for the new operating system powered by Azure Active Directory (AD) Premium and Intune.
“By combining login, Azure AD Join and Intune MDM enrollment in one easy step, we’ve made it drop-dead simple to bring devices into a well-managed state that complies with your corporate policies,” Alex Simons, director of program management at Microsoft’s Identity and Security Services Division, wrote in an Aug. 17 blog post. “This ‘one-step’ enrollment is a unique new capability of Windows 10, one that really differentiates it from other mobile platforms.”
Azure AD is the cloud-based version of the company’s Active Directory user access and identity management platform. Similarly, Intune provides MDM, application and PC management as a cloud-delivered service.
Despite the feature’s potential to speed Windows 10 deployments and protect both corporate-owned and personal devices, enabling MDM in this manner doesn’t have to be an all-or-nothing undertaking, the company said. Although administrators can automatically bring all Windows 10 PCs and tablets under Intune management with minimal configuration on their part, they can elect to take a more measured approach, said Microsoft program manager Mahesh Unnikrishnan in the co-authored blog post.
In a walk-through of the new capability, Unnikrishnan said administrators “have the flexibility to specify whether only users belonging to a specific set of groups should have their devices managed by Microsoft Intune.” Businesses can take their time bringing Windows 10 into the MDM fold.
“This is useful for performing phased rollouts of the feature in your organization. You can start off with a few groups and subsequently roll out the deployment more broadly in your organization,” Unnikrishnan added.
The feature produces an MDM enrollment URL, which “is done automatically when users join their devices to Azure AD or when they add a work account to their Windows 10 machine, if automatic MDM enrollment is enabled for them,” explained Unnikrishnan. Microsoft also plans to provide businesses with a terms of use URL option. “The ability to configure custom terms of use for users to see as part of the enrollment process will be made available in an Intune update shipping later this year,” he added.
Finally, if a Windows 10 device breaks the rules, Intune will let users know why they suddenly can’t seem to access their organization’s data and apps via an MDM compliance URL.
“When a device is found to be out of compliance, Azure AD’s conditional access control engine will block access to users for applications that require compliant devices. In this scenario an ‘access denied’ message will be displayed to end users,” Unnikrishnan said.
Intune then helpfully sets users on the path toward correcting the situation. “Users will also see this compliance URL on the access denied page. The compliance URL helps end users understand why their device is not compliant with policy and how they can bring it back into compliance,” stated Unnikrishnan.