Demo Overview: Managed Mobile Productivity



Managed Mobile ProductivityDemo TrackUpdated: May 16th, 2017This document is provided “as-is”. Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes.? 2017 Microsoft. All rights reserved.Table of Contents TOC \o "1-3" \h \z \u Demo Overview: Managed Mobile Productivity PAGEREF _Toc482716362 \h 5Scenarios and Features PAGEREF _Toc482716363 \h 5Intended Audience PAGEREF _Toc482716364 \h 5Length PAGEREF _Toc482716365 \h 5Demo Prerequisites PAGEREF _Toc482716366 \h 5One-Time Demo Environment Setup PAGEREF _Toc482716367 \h 6Secure access to Office 365 and protect data on unmanaged devices PAGEREF _Toc482716368 \h 7Pre-Demo Steps PAGEREF _Toc482716369 \h 7Mobile Application Management without Enrollment PAGEREF _Toc482716370 \h 7Demo Reset Steps PAGEREF _Toc482716371 \h 10Secure access to Office 365 and protect data on mobile devices, apps, and PCs PAGEREF _Toc482716372 \h 10Pre-Demo Steps PAGEREF _Toc482716373 \h 10Enroll Device for Conditional Access PAGEREF _Toc482716374 \h 11Mobile Application Management PAGEREF _Toc482716375 \h 13Device Retirement and Selective Wipe PAGEREF _Toc482716376 \h 14Demo Reset Steps PAGEREF _Toc482716377 \h 15Intune Management – The IT Pro Experience PAGEREF _Toc482716378 \h 15Pre-Demo Steps PAGEREF _Toc482716379 \h 15Conditional Access Policies PAGEREF _Toc482716380 \h 16Create a Configuration Policy PAGEREF _Toc482716381 \h 17Demo Reset Steps PAGEREF _Toc482716382 \h 17Appendix 1: Configure your Demo Tenant PAGEREF _Toc482716383 \h 18Configuring Tenant for iOS Devices PAGEREF _Toc482716384 \h 18Create an Apple ID (if necessary) PAGEREF _Toc482716385 \h 18Configure Intune Admin Settings for iOS Device Management PAGEREF _Toc482716386 \h 18Apply Contoso Branding to Intune Company Portal PAGEREF _Toc482716387 \h 20Assign Managed iOS Apps PAGEREF _Toc482716388 \h 20Assign Managed Android Apps PAGEREF _Toc482716389 \h 21Create Exchange Online Conditional Access Policy PAGEREF _Toc482716390 \h 21Configure Device Compliance Policy PAGEREF _Toc482716391 \h 21Configure App Protection Policy PAGEREF _Toc482716392 \h 22Appendix 2: Configure Your Demo Devices PAGEREF _Toc482716393 \h 23Mobile Device Requirements PAGEREF _Toc482716394 \h 23Device Setup Steps PAGEREF _Toc482716395 \h 23Set Up Device #1 – Unmanaged (iPad or iPhone) PAGEREF _Toc482716396 \h 23Set Up Device #2 – Managed (iPad or iPhone) PAGEREF _Toc482716397 \h 23Demo Overview: Managed Mobile ProductivityPeople want to access their corporate applications and stay productive from a variety of devices, both at work and away. Using Intune, organizations can provide their employees with access to corporate applications, data, and resources from virtually anywhere on almost any device, while helping to keep corporate information secure.Scenarios and FeaturesThis demo guide will cover the following technical scenarios listed below. Please note some scenarios are available as PowerPoint click through demos only as these require a lot of setup to perform live using your demo environment.Scenario & Value PropTechnical ScenarioDemo Resources/LinksSecure access to Office 365 and protect data on unmanaged devicesMobile Application Management without EnrollmentDeep Dive GuideClick Through GuideSecure access to Office 365 and protect data on mobile devices, apps, and PCsDevice-based Conditional AccessDeep Dive GuideClick Through GuideMobile Application ManagementDeep Dive GuideClick Through GuideDevice Retirement and Selective WipeDeep Dive GuideIntune Management – The IT Pro ExperienceConfiguring Conditional AccessDeep Dive GuideCreating a Configuration PolicyDeep Dive GuideIntended AudienceIT Pro, Business Decision Makers, End UsersLength20-30 minutesDemo PrerequisitesA Microsoft Enterprise Mobility + Security (EMS) demo environment provisioned through demos. portal. See the EMS Demos Getting Started Guide for detailed instructions on creating your own demo environment.Two iOS mobile devices (iPhone or iPad) running iOS 9 or higher.One device to demo MAM without Enrollment, and the other to demo MAM with EnrollmentThis is due to the time requirement to install the managed versions of the applications required for the demo and to ensure policy is fully applied to the device.Android devices are supported as well. For detailed instruction on using Android devices with Intune, please review this article.A Windows PC running Windows 8.1 or above.One-Time Demo Environment SetupYour demo tenant is pre-provisioned with a lot of content and settings that you can leverage as-is. However, some settings need to be manually configured by you. Please ensure the following activities are performed against your tenant prior to your first demo:If you plan to use custom demo personas for your demo, ensure the user accounts are appropriately licensed for EMS and Office 365. You may use the Office Admin Portal ( then click Admin tile) to review and modify the tenant subscription and user licensing status.Perform one-time manual setup steps against your demo tenant as detailed in Appendix 1.Prepare your demo mobile devices as detailed in Appendix 2.Important Note: This demo is best performed using two mobile devices (iPad or iPhone). If you have only one device, we recommend you perform Demo 1 (Secure access to Office 365 and protect data on unmanaged devices) using a click-thru guide, and use your device for performing Demo 2 live.Secure access to Office 365 and protect data on unmanaged devicesPre-Demo StepsPrior to each demo, ensure the following setup steps have been performed in your demo tenant/device. Detailed instructions are provided in the Appendix sections.Mobile device that is NOT enrolled to Intune.See the Appendix 2 for detailed device setup instructions.If this is not possible, please use the Click Through Guide.Verify that the Conditional Access Exchange Online Policy is not enabled.In Microsoft Edge , open and log in with your Global Admin credentials.In the left hand navigation, click Azure Active Directory.In the SECURITY section, click Conditional access.In the policy list, ensure that Exchange Online Policy does not have a check mark in the ENABLED column.If it does, click the policy, set Enable policy to Off and click Save.Mobile Application Management without EnrollmentSpeaker ScriptClick StepsOpeningI think you would agree with me that one of the main capabilities your employees want on their mobile devices is access to their corporate email and documents. And they expect to do it in a fast and easy way without the need of going through multiple complex steps or calling the help desk. IT, on the other hand, wants to keep the corporate data secure wherever it is. Let me show how you can solve both of these problems with Office 365 and EMS.A new capability of Microsoft Intune allows Mobile Application Management (MAM) without requiring the device to be enrolled for IT management: Intune MAM without Enrollment. This is particularly useful for BYOD scenarios where end users don’t want to or can’t enroll their devices for IT management. This capability is also useful in cases where a device is already enrolled in another MDM solution.This is Isaiah Langer’s personal, mobile device. He occasionally uses it to access his company, Contoso’s corporate data. However, Isaiah has not yet enrolled his device into any MDM solution yet. Let’s take a peek at device settings to confirm this.If this device was enrolled in a MDM solution, you would see an entry under VPN labelled Device Management, but no?such entry exists.?So we can conclude this device is not enrolled in a MDM solutionNow that we have verified that the device is not enrolled, open an app that is targeted with Contoso’s MAM without Enrollment policy: the OneDrive app.We have logged in to this app as Isaiah Langer with his corporate identity at Contoso.As you can see, there are a few prompts, some notifying you the apps are being managed to require you to create a 4 digit PIN.Now, we will open a Word document from his OneDrive folder – a corporate location – and see what all is allowed or disallowed by the MAM policy defined by Contoso’s IT Administrator.When attempting to save the corporate document to the local device, we received an error stating “Your administrator doesn’t allow saving to personal locations”. The iPad location here is a local storage space, not considered a corporate location by the MAM policy.When saving this same document to the corporate OneDrive for Business, there are no restrictions. Isaiah may still attempt to transfer corporate data through copy/paste. MAM without Enrollment policy can control where corporate data can be pasted to as well.Let’s attempt to paste this data into a new document.As you can see the Paste function is not available in a newly created document.For the Paste function to work, the Word document first has to be saved to an authorized location.?Let’s save this document in an authorized location and retest the copy/paste function.Once the new document is saved to an authorized location, Isaiah’s corporate OneDrive, the paste function appears.Now you are able to successfully paste the contents into the new document.But what do you think would happen if I were to attempt to paste the same information into the Notes app?One would think that MAM w/o Enrollment only concerns itself with the location which corporate data is stored through the use of managed apps.But that is not the case.Not only does MAM w/o Enrollment concern itself with the location where you attempt to save corporate data but also the applications which you try to import/export corporate data to.Although this device is not enrolled in an organization’s MDM solution, the MAM w/o Enrollment policies set by the organization block you from taking data outside of the organization in a variety of different ways – thereby protecting data leakagePerform these steps on an unmanaged iOS device (Device #1).Tap on Settings app to open.Tap General, then scroll to the bottom.Locate the settings group containing iTunes Wi-Fi Sync and VPN. Note: If the device was enrolled, there would be a third setting in this group – see sample screenshots below.Not Enrolled to MDMEnrolled to MDMNavigate back to the device’s Home screen.Open OneDrive app.If prompted to restart the application, please restart the application to apply the MAM policy to the app.Tap OK when notified with a message regarding protection of company data in the app.If prompted, type the PIN you set for the app.Scroll down, then tap Holiday Web Marketing Strategies document.At the top of the screen, tap the Word icon. The document will open in Word app.In the Word menu, tap File > Save a Copy.Tap iPad. Tap Save. Note the prompt that disallows save.Tap OK on the error message.Tap OneDrive.Tap Save. Note that save is allowed.Tap/hold (1-2 secs) anywhere in the document, then release to reveal copy menu.Tap Select All > Copy.On the document menu bar, tap the Back Button.Tap New > Blank Document.Tap/hold (1-2 secs) then release anywhere in the document. Tap Paste.Note the text that is pasted.Tap the File Menu > Name Tap OneDrive – Contoso <tenant> > Save.Tap/hold (1-2 secs) on the previously pasted text then release.Tap Select All.Tap Paste. Press the Home button.Tap on the Notes app.In the upper right corner, tap the New Note icon.Click on the cursor.Tap/hold (1-2 secs) then release anywhere in the document.Tap Paste. Note the text that is pasted in to the app.Demo Reset StepsPerform these steps after each demo presentation to ensure re-usability of this demo environment:Device #1:Delete new Word documents saved to OneDrive.Secure access to Office 365 and protect data on mobile devices, apps, and PCsPre-Demo StepsPrior to each demo, ensure the following setup steps have been performed in your demo tenant/device. Detailed instructions are provided in the Appendix sections.A mobile device that is NOT enrolled to Intune.Another mobile device that IS already enrolled to Intune and configured as recommended in the Appendix.This is due to the time requirement to install the managed versions of the applications required for the demo and to ensure policy is fully applied to the device.If this is not possible, please use the Click-Through-Guides for Enrollment and Mobile Application Management.See the Appendix 2 for detailed device setup instructions.Verify that the Conditional Access Exchange Online Policy is enabled.In Microsoft Edge , open and log in with your Global Admin credentials.In the left hand navigation, click Azure Active Directory.In the SECURITY section, click Conditional access.In the policy list, ensure that Exchange Online Policy has a check mark in the ENABLED column.If it does not, click the policy, set Enable policy to On and click Save.Speaker ScriptClick StepsOpeningOne of the main capabilities your employees want on their mobile devices is access to their corporate email and documents. And they expect to do it in a fast and easy way without the need of going through multiple complex steps or calling the help desk. IT, on the other hand, wants to keep the corporate data secure wherever it is.Perform these steps on mobile device #1On your device, launch Outlook app.Tap Get Started, then dismiss app initialization/welcome messages, if necessary.If prompted for notifications tap No Thanks.Enter the email address: IsaiahL@<tenant>.Tap Add Account.Sign in with the tenant password.Tap Sign in. Note the Conditional Access policy message that blocks access to email:Tap Enroll.Tap OPEN to launch Microsoft Intune Company Portal app.Log in to Intune Company Portal asIsaiahL@<tenant>. and tap Sign in.On Company Access Setup page, tap Begin.Tap Continue twice to skip the introductory pages.On What comes next? page, tap Enroll. You will be directed to the built-in iOS Settings app. Complete the enrollment steps:On Install Profile page, tap Install.Enter device passcode (prompted only if device currently has a passcode).Tap Install.On Warning page, tap Install.On Remote Management dialog, tap Trust.On Profile Installed page, tap Done. Tap Open to open the page in the Intune Company Portal app.On Company Access Setup page, tap Continue.Tap Done to complete Company Access Setup.You should now see the Intune Company Portal home page.Press the device’s home button. If your device does not have a PIN, you’ll see a Passcode Requirement dialog where you must set one within 60 minutes.Tap Continue, then set a new device passcode. If your device has a passcode currently, you’ll be prompted to type that in first.Tip: For a complex, 4-character passcode, use 1111 so it’s easy to remember.Tap Outlook to return to app.Tap the back arrow to return to the Add Email Account page.Tap Sign In with Office 365.Login as IsaiahL@<tenant>..Tap Maybe Later on Add Another Account page.Tap Skip on the Focused Inbox page.Note the Inbox is now populated with IsaiahL’s emails from Exchange server.Enroll Device for Conditional AccessWhen employees add their corporate Office 365 account in the Outlook app, they expect to get access to all of their email, but with EMS you can enable conditional access which ensures that employees access corporate email only from managed and compliant devices.As you can see here, they are blocked and are informed that in order to get access they need to first enroll their device to Intune.Enrollment is performed via the Intune Company Portal app. The app is already installed on this device, so the user can launch straight in to the enrollment process.Employees need to login with their corporate Azure AD identity (same credentials one employees would use to access email), and go through the standard iOS enrollment process that includes applying a management profile and certificates for secure communication between the device and Microsoft Intune.There are few things are happening behind the scenes here. First, Intune gets device information without collecting personal data since this is a personal device. Next, Intune also registers this device with Azure AD, so now both Intune and Azure AD know that this device belongs to this employee which is useful for a few other scenarios when the employees want to access corporate resource from this device. Intune also starts to deploy and enforce device settings like password requirements, resource access profiles such as WiFi and VPN, certificates, and applications.Once the enrollment is completed, employees need to ensure that their device is compliant with the corporate policies. This is a great solution since employees get access to email with just few simple steps but IT is also happy because the corporate data is accessed only from managed devices. So far, I showed you that you can require your employees to get their devices managed by Intune in order to get access to corporate resources such as email and documents.Mobile Application ManagementOnce the device is enrolled, employees are now able to access the Intune Company Portal app.Through the Intune Company Portal app, you also have quick access to IT Support information.The Intune Company Portal app provides access to install managed applications. These apps could consist of corporate line-of-business applications or apps available through the public app stores.Intune is able to manage and enforce app restrictions for Office mobile apps and other 3rd party productivity apps on both iOS and Android devices. Thus, increasing the productivity and collaboration capabilities of employees while protecting and securing corporate data.Now, let’s take a look at data protection with Mobile Application Management policies.Mobile Application Management policies not only manage the apps but also all corporate data being accessed by a user’s corporate credentials. Through these policies, features such as copy/cut/paste/save are thoroughly controlled. Essentially, not allowing a user to perform such actions in unauthorized apps or locations.To gain a better understanding, let’s take a look at the Northwind Proposal document attached in Alex Wilber’s email.First, let’s test the copy/paste function in a new email.In Isaiah’s personal email account, the paste function is not available.Now to see if the same function is available in his corporate email account.As expected, the copy/paste function is available through Isaiah’s corporate email account, thus ensuring that corporate data is only sent via authorized accounts. What would happen is someone tried pasting this information into a unmanaged app, such as Notes?As you can see, the paste option is shown in Notes, an unmanaged app, however, no content is pasted when the user selects that action.Again this ensures that corporate information is kept in authorized locations only.Lastly, let us look at the save function.To do so, we will use the same attachment but open it in Word.Let’s first attempt to save this document to Isaiah’s personal Dropbox and review the results.It seems we are not allowed to perform this action due to the MAM policies in place.However, when attempting to save this same document to Isaiah’s corporate OneDrive, the action was seamless and allowed.Note: Perform this demo on your enrolled device (#2): the device that you ended up with at the end of the setup in Appendix 2.Launch the Company Portal app on your Intune enrolled mobile device.Scroll up/down the screen and show custom branding and IT Support info.Tap All Apps to reveal available apps.Press home button to close the Company Portal app.Launch Outlook app (which is now configured with 2 email accounts).In Isaiah’s corporate inbox, scroll down and tap on an email from Alex Wilber (subject Northwind Proposal).Tip: You may open any email in the user’s corporate inbox with a Word document attachment.Tap on the attachment file name to preview contents.Tap Word to open the document in Word.On a text paragraph, tap and hold, then Select.Drag the handles to select the whole paragraph.Tap Copy.At the top left, tap Back to Outlook.Tap Close to dismiss document preview.Tap compose new email icon.Tap on the email address label at top of the screen, and tap on personal mail account to switch.In the message body (whitespace) tap and hold to reveal paste option. Click Paste and note paste text is not the corporate content.Tap on the email address label at top of the screen again, then switch to Isaiah’s corporate account to switch.In the message body (whitespace) tap and hold for a second to reveal Paste option, then tap Paste.Discard the email message (by tapping X icon, then confirming Delete draft).Press the home button, then launch the built-in iOS Notes app.Create a new note and attempt to paste (tap + hold on whitespace.) Note you will not be able to paste the corporate content (even if Paste option/menu item is visible).Double-press the home button, then return to Outlook app.Back in the Northwind Proposal email, tap the attachment to open the document preview.Tap Word to open the document in Word.Tap the File menu icon in Word app, then Save a Copy.Tap Dropbox.Tap Save.At alert box with message: “Your administrator doesn’t allow saving to personal locations.” tap OK.Tap OneDrive - Contoso, then Save.Device Retirement and Selective WipeLet’s imagine a scenario where the Employee decides to un-enroll the device from Intune. Perhaps the employee is no longer with the company, or the employee wants to no longer use the device for work. What will happen to the corporate data in the device?Intune provides a way for the end user to retire the device by un-enrolling from Intune. The selective wipe policy will destroy all corporate data from the device, but leave personal data intact.Intune also allows an IT Administrator to retire devices remotely from the Intune management portal. Furthermore, the Administrator can remotely perform full device wipe, remote lock, and passcode reset capabilities to help secure data on lost or stolen devices. You issue these commands from the Admin console.Launch Comp Portal app.Under My Devices, tap the icon for your device.Tap Remove button at the bottom.Tap Remove again to confirm.Press the home button to return to device home page.Launch Outlook app.Note the App Wipe alert message, then dismiss it.Dismiss login prompts for IsaiahL’s corporate O365 credentials.Note the Outlook inbox still has Isaiah’s personal mails.Demo Reset StepsPerform these steps after each demo presentation to ensure re-usability of this demo environment:If the IT Pro demo is not being shown, ensure that the Conditional Access Exchange Online Policy is not enabled.In Microsoft Edge , open and log in with your Global Admin credentials.In the left hand navigation, click Azure Active Directory.In the SECURITY section, click Conditional access.In the policy list, ensure that Exchange Online Policy does not have a check mark in the ENABLED column.If it does, click the policy, set Enable policy to Off and click Save.Device #2:Browse to IsaiahL’s OneDrive Pro for Business web site (, logged in as IsaiahL) then delete the Northwind Proporal document from the root.Go through steps of Setup Device #2 in the appendix so the same device is ready for your next demo. You may skip the steps where the configurations from prior runs are already there (e.g. Dropbox setup, personal inbox setup, etc.)Intune Management – The IT Pro ExperiencePre-Demo StepsThis section focuses on IT Pro/administrative tasks for Intune management. Verify that the Conditional Access Exchange Online Policy is enabled.In Microsoft Edge , open and log in with your Global Admin credentials.In the left hand navigation, click Azure Active Directory.In the SECURITY section, click Conditional access.In the policy list, ensure that Exchange Online Policy has a check mark in the ENABLED column.If it does not, click the policy, set Enable policy to On and click Save.Navigate to the Azure Portal: in with your demo tenant’s global admin’s credentials. In the left navigation pane, click More services.In the filter text box, type Intune and click Intune in the search results (not Intune App Protection).Speaker ScriptClick StepsConditional Access PoliciesHow difficult is this to configure for the IT Admin? Typically, this is a challenging project that often requires email gateways, servers in the perimeter network, lots of configuration, and custom scripts. Due to our cloud architecture, we significantly reduced the complexity, and made it very easy to configure. There are only 2 things the IT needs to do to enable conditional access.First, we define a compliance policy in Intune Admin Console which basically checks to verify, if the device is healthy or not. As you can see, there are multiple settings that can be checked on the devices running Windows, Windows Phone, iOS, and Android.Second, we enable the conditional access policy. In this example, it is enabled for Exchange Online. The appropriate restrictions and targeted groups are configured. Now employees in these groups need to have their devices enrolled and healthy in order to access the email. Bring up the browser session with the Microsoft Intune blade.Click Device Compliance.Under MANAGE, click Policies.Click Enterprise Compliance Policy and click Properties.Review some of the settings in the policy by clicking on Settings and clicking on each of the categories:EmailDevice HealthDevice PropertiesSystem SecurityClick X on each open blade until back at the Microsoft Intune overview blade.In the list, click Conditional Access.In the list, click Conditional Access in Azure Active Directory.Click Exchange Online Policy.Click on Cloud Apps to show Exchange Online is selected.On the Exchange Online Policy blade, under Access Controls, click Grant to show the requirement for compliant device.On the Exchange Online Policy blade, point to Enable Policy setting.On the Exchange Online Policy blade, click Users and groups to show the selected groups. Create a Configuration PolicyIn Microsoft Intune, configuration policies are groups of settings that control features on computers and mobile devices. You create policies by using templates that contain recommended or customized settings, and then deploy them to device or user groups. In these demos, I will show you a variety of policy setting for managing mobile devices.You add all configuration policies the same way. The only difference is that you choose different policy templates, depending on what you want to manage. Within each type of profile there are a whole variety of configuration settings, from device restrictions to configuring Wi-Fi and VPN settings for devices.Click X on each open blade until back at the Microsoft Intune overview blade.Click Device configuration.Click Profiles.Click + Create profile.Set the Name to Enterprise Device Profile.In the Platform drop down list, select iOS.Review some of the options in the Profile Type drop down list.In the drop down list, click Device restrictions.Review the categories of restrictions.Click-through categories of interest.When finished, click X on each open blade until back at the Microsoft Intune overview blade, clicking OK if prompted to discard edits.Demo Reset StepsPerform these steps after each demo presentation to ensure re-usability of this demo environment:To enable future MAM without Enrollment demos, ensure that the Conditional Access Exchange Online Policy is not enabled.In Microsoft Edge , open and log in with your Global Admin credentials.In the left hand navigation, click Azure Active Directory.In the SECURITY section, click Conditional access.In the policy list, ensure that Exchange Online Policy does not have a check mark in the ENABLED column.If it does, click the policy, set Enable policy to Off and click Save.Appendix 1: Configure your Demo TenantThese steps need to be performed only once per demo tenant, and are required prior to performing demos or configuring devices for demoing.Configuring Tenant for iOS DevicesEstimated Setup Time: 15 minutesBefore you can manage iOS mobile devices with Intune, you need an Apple Push Notification service (APNs) certificate. This certificate allows Intune to manage iOS devices and establish an accredited and encrypted IP connection with the mobile device management authority services. These steps need only be performed once per tenant. Perform these steps on a Windows 8.1 (or higher) device (not an iOS device) using Internet Explorer or FireFox browser. There are two major steps for this configuration:Create an Apple ID (if necessary)You may use your existing Apple ID, if you have one, and skip this section.Navigate to the following URL and click Create your Apple ID.Fill in the My Apple ID form as required. Sample values provided below – feel free to use your own values.Email: admin@<tenant>. (replace <tenant> with appropriate value)Password (example): Contoso1First Name: DemoLast Name: AdminBirthday: (fill in as appropriate)Choose the 3 security questions from the drop-downs and answer them as appropriate.Country: (fill in as appropriate)Uncheck Email preference optionsType in the captcha text as you see on the screenClick Continue.To verify your email address:Browse to . Log in with your Domain Admin credentials (same account you used for Apple ID above). Locate the email from Apple with subject Verify your Apple ID , then make a note of the verification code in the email.Return to the Apple ID page and enter the verification code from the email.Configure Intune Admin Settings for iOS Device ManagementNavigate to the Azure Portal: in with your demo tenant’s global admin’s credentials. In the left navigation pane, click More services.In the filter text box, type Intune and click Intune in the search results (not Intune App Protection).Click Device Enrollment.Click Apple Enrollment.On the Apple MDM Push Certificate tile click Click to set up.In the list of Steps, click Download your CSR.In the list of Steps, click Create your MDM push Certificate. You will be taken to Apple Push Certificates Portal web site.Note: If you closed the previous browser session and are prompted for login, provide the Apple ID credentials you set up earlier. Click Create a Certificate.Accept Terms of Use by checking appropriate box and clicking Accept.In the Create a New Push Certificate page, click Browse… under Vendor-Signed Certificate Signing Request.Point to the .CSR file you saved to your local computer earlier (in step 8 above) and click Open.Click Upload.If you see a prompt to download a .json file, ignore it.If you are not re-directed to a new page after 30 seconds, click Cancel, which will take you to Apple Push Certificates Portal page.Click Download to download the Mobile Device Management certificate. Save the file to a local folder on your PC with .pem file extension.Return to Azure Portal > Configure MDM Push Certificate page.In the Apple ID text box, enter the Apple ID used to sign in to the Apple Push Certificates PortalOn step 4, click the browse icon, browse to the certificate you downloaded earlier (.pem file), and click Open.Click Upload.Your demo tenant is now ready to accept iOS devices for enrollment!Apply Contoso Branding to Intune Company PortalEstimated Setup Time: 3 minutesIf necessary, log in to the Azure Portal () as your demo tenant’s Global Administrator.In the left navigation pane, click More services.In the filter text box, type Intune and click Intune in the search results (not Intune App Protection).Click Mobile Apps.In the SETUP section, click Company Portal branding.Fill in the form as follows:Company Name: ContosoIT department contact name: IT AdminIT department phone number: 800-555-1234Support website URL: name: IT WebCheck the box for Show company logoFor Select a logo to use on light backgrounds, click the Browse icon.In the file name text box enter and click Open.For Select a logo to use on dark backgrounds, click the Browse icon.In the file name text box enter and click Open.Set Show company name next to logo to unchecked.At the top of the blade, click Save.Assign Managed iOS AppsEstimated Setup Time: 15 minutesIf necessary, log in to the Azure Portal () as your demo tenant’s Global Administrator.In the left navigation pane, click More services.In the filter text box, type Intune and click Intune in the search results (not Intune App Protection).Click Mobile Apps.In the MANAGE section, click Apps.Click on the line for Excel on the iOS platform.In the MANAGE section of the App blade, click Assignments.Click Select groups.In the search text box, enter sg-, and click sg-Sales and Marketing in the results.Click Select.In the Type drop down list, select Available and click Save.Click on the X to close the blade for Excel – Assignments.Repeat steps 6 to 12 for the following iOS applications:Managed BrowserOneDriveOutlookPowerPointWordAssign Managed Android AppsIf you wish to demo using Android devices, you can follow the same steps as above to published Android applications in the Intune Company Portal.Create Exchange Online Conditional Access PolicyEstimated Setup Time: 5 minutesIn Microsoft Edge , open and log in with your Global Admin credentials.In the left hand navigation, click Azure Active Directory.In the SECURITY section, click Conditional access.If Exchange Online Policy does not exist, click + New Policy and configure it as follows:Name: Exchange Online PolicyUsers and Groups: sg-Sales and MarketingCloud apps: Office 365 Exchange OnlineGrant: Require device to be marked as compliantEnable policy: OffClick Create.Configure Device Compliance PolicyEstimated Setup Time: 5 minutesIf necessary, log in to the Azure Portal () as your demo tenant’s Global Administrator.In the left navigation pane, click More services.In the filter text box, type Intune and click Intune in the search results (not Intune App Protection).Click Device Compliance.Under MANAGE, click Policies.Click + Create Policy.Set the Name to Enterprise Compliance Policy.In the Platform drop down list, select iOS.Click Device Health.Set Jailbroken devices to Block and click OK.Click System Security and set the following values:Require a password to unlock mobile devices: RequireMinimum password length: 4Require password type: NumericOn the System Security, click OK, and then on the iOS compliance policy blade click OK.Click Create to finalize the policy.In the list of policies, click Enterprise Compliance Policy, then click Assignments.Click Select groups.In the search box, type sg-.Select sg-Sales and marketing and click Select.At the top of the blade, click Save.Configure App Protection PolicyEstimated Setup Time: 5 minutesIf necessary, log in to the Azure Portal () as your demo tenant’s Global Administrator.In the left navigation pane, click More services.In the filter text box, type Intune and click Intune in the search results (not Intune App Protection).Click Mobile Apps.In the MANAGE section, click App Protection Policies.In the policy list, click iOS ODFB-Word Protection Policy.Click User Groups and ensure policy is assigned to sg-Sales and Marketing.If not, click Add user group.In the search box, type sg-.Click sg-Sales and Marketing, then click select.Click Targeted apps and ensure Word and OneDrive are checked.If not, check Word and OneDrive and click Save.Click Policy settings and ensure the following settings are set:Allow apps to transfer data to other apps: Policy managed appsPrevent “Save As”: YesSelect which storage services corporate data can be saved to:OneDrive for BusinessSharePointRestrict cut, copy and paste with other apps: Policy managed apps with paste inIf changes were made, at the top of the Policy settings blade click Save.Appendix 2: Configure Your Demo DevicesThe demo configuration and documentation has been written for and tested against iOS devices. Android devices are supported as well but demo steps have not been specifically provided. For detailed instruction on using Android devices with Intune, please review this article.Mobile Device RequirementsiOS (iPad or iPhone) running latest versions of iOS 9 or above.Ideally, two such devices to be able to perform Demo 1 and Demo 2 back-to-back without setup time in between.This is due to the time requirement to install the managed versions of the applications required for the demo and to ensure policy is fully applied to the device.Ensure devices are free of the following apps (delete these apps if they exist in the devices currently):Outlook for iOSWord for iOSOneDrive for iOSIf feasible, perform a factory reset of the devices.Device Setup StepsEstimated Setup Time: 30-45 minutesSet Up Device #1 – Unmanaged (iPad or iPhone)You will perform the MAM without Enrollment and Conditional Access demo (Demo #1 and #2) on this device, hence the setup requirements are minimal.Go to the iOS App Store and search for Microsoft Intune.Download/install the apps Microsoft Intune Company Portal, Outlook, OneDrive and Word.You can use any Apple ID to sign in to the App Store, or you can use the created in Appendix 1.Sign in to OneDrive and Word as IsaiahL@<tenant>..You may be prompted to restart OneDrive and sign in again so that management policies can be applied.You will be required to set a PIN on the device, configure it to something memorable.You will also be required to an application level PIN for OneDrive, so configure it to something memorable also.Set Up Device #2 – Managed (iPad or iPhone)You will perform the Mobile Application Management demo (Demo #2) on this device.Go to the iOS App Store and search for Microsoft Intune.Download/install the app Microsoft Intune Company Portal.Launch the app (will be labeled Comp Portal).Sign in to Intune Company Portal with the following account: IsaiahL@<tenant>.TIP: copy the account email address in your device’s buffer so you can paste it easily later, instead of typing it each time!On Company Access Setup page, tap Begin.Tap Continue twice to skip the introductory pages.On What comes next? page, tap Enroll. You will be directed to the built-in iOS Settings app. On Install Profile page, tap Install.Enter device passcode (prompted only if device currently has a passcode).Tap Install.On Warning page, tap Install.On Remote Management dialog, tap Trust.On Profile Installed page, tap Done. Tap Open to open the page in the Intune Company Portal app.On Company Access Setup page, tap Continue.Tap Done to complete Company Access Setup.You should now see the Intune Company Portal home page.When prompted to set up a password or PIN code, set a PIN for the device.Note: Remember the PIN as it will be required for the demo.Back in Intune Company Portal app, tap All Apps.Tap on each of the following apps then Install (note: for each app, you’ll see App Installation confirmation pop-up message after 10-20 seconds. Tap Install to confirm).Outlook (required for demo flow)Word (required for demo flow)PowerPoint (optional but recommended)Excel (optional but recommended)OneDrive (optional)Managed Browser (optional)Note: Depending on your internet speed, it may take 10-30 minutes for these apps to finish installing to your device! Sometimes, for the larger apps (Word, Excel, PowerPoint), the Company Portal will time out and report that they have failed to install, even though installation is still progressing. If installation is not progressing, you can tap on the alerts in the Company Portal to retry installation.Setup Outlook/Emails/Dropbox:When Outlook app has finished installing, tap on its icon to launch it.If prompted to set up a numeric pin, tap an easy to remember 4-digit number, e.g. 1111.Tap Get Started, then No Thanks.On the Add Email Account page, paste Isaiah Langer’s corporate email address (IsaiahL@<tenant>.) and tap Add Account.Type in IsaiahL’s password then tap Sign in.Tap Maybe later, then tap Skip.Tap Settings at the bottom of the screen, then + Add Account.Tap Add Email Account.Enter your personal demo email credentials and select/copy the email address in clipboard memory (for use later).Tap Add Account.Type the password, then tap Sign in.Tap Settings at the bottom of the screen, then + Add Account.Tap Add Storage Account, then tap Dropbox.In the Dropbox sign in page, enter your personal demo Dropbox credentials then tap Sign in.At the prompt tap Allow.Setup/Configure WordIn Isaiah’s corporate inbox, scroll down and tap on an email from Alex Wilber (subject Northwind Proposal).Tap the email attachment to open the preview. Tap Word to open the document in Word.If this is the first time you’re launching Word app on this device, you’ll see several welcome messages and tips. Dismiss all such messages.When the document opens, tap Sign In, and log in with IsaiahL’s credentials.Tap the File menu icon in Word app, then Save a Copy.Tap Add a Place.Tap Dropbox.In the Dropbox login page, enter your personal demo Dropbox credentials then tap Sign in and Link.Close the Northwind Traders Proposal document by tapping the exit icon, .You have now successfully set up and smoke tested your demo tenant and demo devices. We recommend you proceed with a run-through of the demo steps to familiarize yourself with the demo. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download