Salaam, Namaste, Ola and Hello!
For those who are new to my blog Welcome, and to those that are returning a big thanks!! In my last blog ( https://iamitgeek.com/?p=95 ) I went through Samsung Knox Enroll and what is required to integrate this with Azure Intune MDM. In part two of that series I will take a closer look at what you can do within Intune to deploy security policies and applications to the devices once they are enrolled.
At this point we have successfully enrolled our device into Intune via the Samsung Knox Enroll service so we should be able to see our mobile device in the Azure Intune portal. You can confirm this by going to going to Devices > All Devices within the Intune portal.
As with all devices that are going to store company data on, security is key. Intune uses Device Compliance policies to deploy security to its enrolled devices and supports the following platforms:
The purpose of the compliance policy is to ensure devices meet a certain criteria before they are authorized to access and store company data. At the same time if any existing devices become non-compliant you are also alerted about this. You create the policies within Device Compliance > Policies > Create Policy. In this case my requirement is to create a policy for Android devices. The initial configuration required is straight forward: Policy name, description and choose your platform. We then get four additional options –
First option is ‘Settings’ which again gives us three sub options of: ‘Device Health’, ‘Device Properties’ and ‘System Security’. Device Health allows you to configure Device Threat level, block ‘rooted devices’ and add protection around Google play. The Device Properties option allows you to specify a minimum and maximum OS version which is a great feature if you have applications you wish to deploy that need a specific OS version. The third option, System Security is what I would say would be most commonly used settings that would be configured as its all based around passwords, encryption and device security. Finally you need to set an action for noncompliance, which basically tells Intune what do to if the device ever becomes non-compliant. The three available actions are:
- Mark Device as non-compliant
- Remotely Lock Device
- Send Email to end user
Once the Compliance Policy is ready you then need to create a security group and assign this group to the policy.
The feature to understand when creating a security group in Intune is the Membership type, and as you can see from the image above there are three:
- Dynamic User
- Dynamic Device
In an Assigned group you can manually assign members whereas in a Dynamic User and Device group it is created with a specific query (User based and Device based respectively). In my case I created an assigned group and added my test account and Samsung device which was already enrolled into Intune. Once you have setup the compliance policy you then need to wait for your device to synchronize with Intune and download the policy to see if its compliant or not, and depending on what you configured in the ‘Actions for noncompliance’ section Intune will either lock the device, send an email or just simply mark the device as non-compliant in the portal.
When you are happy with the security and compliance of the device you can then start to look at deploying applications. There is a whole host of application types as you shown in the image below:
During my testing I was able to successfully deploy an Android Application and a ‘Managed by Google Play’ application. I will not cover deploying applications in this blog as it deserves its own series (coming soon!!), however much like the compliance policies you can also deploy specific apps to specific groups of users and devices.
That concludes my blog series on Samsung Knox Enroll with Intune integration folks, I hope you enjoyed this series and I would love to know what you thought so please feel free to leave a comment in the comments section. Until next time, ‘IamITGeek’ over and out!