The first major book on MDM written by Group Policy and Enterprise Mobility MVP and renowned expert, Jeremy Moskowitz!
With Windows 10, organizations can create a consistent set of configurations across the modern enterprise desktop-for PCs, tablets, and phones-through the common Mobile Device Management (MDM) layer. MDM gives organizations a way to configure settings that achieve their administrative intent without exposing every possible setting. One benefit of MDM is that it enables organizations to apply broader privacy, security, and application management settings through lighter and more efficient tools. MDM also allows organizations to target Internet-connected devices to manage policies without using Group Policy (GP) that requires on-premises domain-joined devices. This makes MDM the best choice for devices that are constantly on the go.
With Microsoft making this shift to using Mobile Device Management (MDM), a cloud-based policy-management system, IT professionals need to know how to do similar tasks they do with Group Policy, but now using MDM, with its differences and pitfalls.
* What is MDM (and how is it different than GP) * Setup Azure AD and MDM Auto-Enrollment * New PC Rollouts and Remote Refreshes: Autopilot and Configuration Designer * Enterprise State Roaming and OneDrive Documents Roaming Renowned expert and Microsoft Group Policy and Enterprise Mobility MVP Jeremy Moskowitz teaches you MDM fundamentals, essential troubleshooting techniques, and how to manage your enterprise desktops.
Country of Publication:
12 July 2019
Professional and scholarly
Foreword xix Introduction xxi Chapter 1 Enterprise Mobility and MDM Essentials 1 Getting Ready to Use This Book 2 Why the Need for MDM 3 Group Policy and MDM Compared 6 MDM: Guts, Protocols, and Moving Parts 9 OMA-DM: The Protocol 9 CSPs: Configuration Service Providers 9 MDM Service 11 Extending Your MDM Services with Third-Party Tools 12 Final Thoughts 13 Chapter 2 Set Up Azure AD and MDM 15 Comparative Analysis of Different MDM Services 15 Azure AD Premium, Enterprise Mobility + Security, and Microsoft 365 16 Office 365's Built-In MDM Management 18 Microsoft Intune 20 VMware Workspace ONE 24 MobileIron 25 Setting Up Auto-Enrollment and Enrolling Your First Machines 25 Turning On MDM Enrollment 26 Add Your First User to Azure AD 33 Enroll Your First Windows 10 Machine into MDM 34 Optional Steps: Custom Domain Names and AD to AAD Synchronization 50 Custom Domain Names: Goodbye to onmicrosoft.com Names 50 Syncing Your On-Prem AD to Azure AD Automatically 58 Final Thoughts 73 Chapter 3 MDM Profiles, Policies, and Groups 75 MDM Policies and the Policy CSP 75 MDM: Getting Started with Policies 76 Profiles and Policies 77 What Makes an MDM Policy? 82 ADMX-Backed Policies 87 Ingesting Third-Party ADMX Files 96 Creating and Using Groups 108 Creating Assigned Groups 109 Creating Dynamic Groups 109 Advanced Dynamic Rules 111 Utilizing Groups in Intune 114 Final Thoughts 114 Chapter 4 Co-Management and Co-Policy Management 117 Co-Management of SCCM and Intune 117 Co-Policy Management: Group Policy and Your MDM Service 122 Auto-Enroll in Your MDM Service Using Group Policy 122 Co-Policy Management...Who Wins: MDM or Group Policy? 127 Final Thoughts 133 Chapter 5 MDM Migration and MDM Troubleshooting 135 MMAT: Microsoft MDM Migration and Analysis Tool 135 Troubleshooting MDM 139 MDM Service Reports, Diagnostic Logs, and Event Logs 139 Delivery Reports from Your MDM Service 140 Advanced Diagnostic Reports and Resolving Conflicts 141 Final Thoughts about the Advanced MDM Settings Report 143 Resolving Conflicts 144 Investigating Event Logs 148 Remotely Collecting Logs from Windows 10 149 Remember MdmWinsOverGP Setting and Gotchas 149 Other Miscellaneous Notes, Traps, and Gotchas 149 Final Thoughts 152 Chapter 6 Deploying Software and Scripts 153 Preparing for the Remainder of the Chapter 155 What to Download to Get Settled in for This Chapter 155 How to (Generally) Deploy Applications with Intune 157 Deploying MSI Applications with MDM 161 Deploying Your First MSI Application 161 Deploying AppX Apps via the Microsoft Store for Business 170 Getting Started with and Activating the Microsoft Store for Business 170 Acquiring AppX Packages to Distribute Using Microsoft Store for Business 172 Deploying MSIX with MDM 178 Repackaging an App with the MSIX Packaging Tool 181 Deploying Office 365 ProPlus with MDM 196 Deploying Win32 Apps with MDM 206 Microsoft Intune Win32 Content Prep Tool 207 Gathering All the Needed Items in One Place 208 Preparing the Win32 Application Contents 210 Add the .intunewin File to Intune 211 Assign the App and See Results 216 Other Win32 Deployment Examples, Troubleshooting, and Final Thoughts 217 Deploying Scripts with Your MDM Service 219 Deploying Scripts (That Deploy Software) with Intune 220 Delivering Other Software and Files with MDM (Using PolicyPak File Delivery Manager) 226 Downloading Unusual File Types 227 Downloading .EXEs, .MSIs, or Unusual Software, Then Running a Script (and Cleaning Up When You're Done) 228 Downloading a ZIP and Automatically Unpacking Its Contents 229 Final Thoughts 231 Chapter 7 Enterprise State Roaming and OneDrive for Business 233 Pregame Setup for This Chapter 235 Get Your Azure Tennant ID 235 Enterprise State Roaming 239 Setting Up Enterprise State Roaming 241 OneDrive for Business 244 Managing the OneDrive Tenant 246 SharePoint and SharePoint Migration Tool 248 OneDrive Sync Client 257 OneDrive's Magic Trick: Known Folder Move 268 Files Restore (from Malware or User Error) 276 Final Thoughts 279 Chapter 8 Rollouts and Refreshes with Configuration Designer and Autopilot 281 Windows Configuration Designer 282 Get WCD from the Windows Store 283 What Can You Do with WCD? (And What Shouldn't You Do with WCD?) 284 WCD Example 284 Implementing the .PPKG File 290 Results from Using a .PPKG File 292 Final Thoughts about WCD 292 Autopilot 293 Getting Devices Registered into Autopilot 296 Creating Groups for Your Autopilot Machines 303 Setting Up Your Autopilot Deployment Profile 306 Automatically Harvesting Hardware IDs into Autopilot 317 Autopilot: Resets, Retire, Wipes, and Fresh Starts 324 Linking a Specific User to a Specific Hardware ID 329 Autopilot Self-Deploying Mode 330 Autopilot Hybrid Azure AD Join 339 Autopilot White Glove 356 Final Autopilot Resources 358 Chapter 9 Windows 10 Health and Happiness: Servicing, Readiness, Analytics, and Compliance 359 Windows, Office, and OneDrive as a Service 359 Servicing Windows 360 Servicing Office 365 Servicing OneDrive (Revisited) 367 Making Your Own Rings for Windows, Office, and OneDrive 367 Office and Application Readiness 375 Office 365 Readiness Toolkit 376 App Health Analyzer 380 Desktop Analytics 381 Introduction to Desktop Analytics 382 Prepare, Pilot, and Deploy Phases 383 Final Thoughts on Desktop Analytics 383 Device Compliance and Health Attestation 384 Getting Started with Compliance Policy 385 Final Thoughts on Windows Health and Happiness 393 Chapter 10 Security with Baselines, BitLocker, AppLocker, and Conditional Access 395 Security Baselines 396 Creating Your Security Baselines in Intune 397 Assigning Your Security Baseline to a Group 399 Syncing Your Client to Get the Baseline 400 Testing Your Baseline 401 Reporting and Monitoring Baselines 402 BitLocker: Full Disk Encryption 404 Enabling BitLocker Using Intune 404 BitLocker Key Recovery and Management 412 BitLocker Final Thoughts and Additional Resources 416 Application Whitelisting with AppLocker or PolicyPak Least Privilege Manager 417 Using AppLocker for Whitelisting 417 Using Your AppLocker Rule with Intune 420 PolicyPak Least Privilege Manager for Whitelisting 423 Conditional Access 426 Setting Up Azure Conditional Access 427 Final Thoughts on Security 434 Chapter 11 MDM Add-On Tools: Free and Pay 439 Company Portal App 439 Setting Up Company Portal Branding 440 Users Interacting with the Company Portal App 441 Microsoft Graph and the Graph Explorer 448 PolicyPak On-Prem & MDM Edition 455 Getting Started with PolicyPak 456 Using PolicyPak to Export Existing Group Policy to MDM 458 Using PolicyPak to Overcome UAC Prompts 461 Using PolicyPak to Block and Allow UWP Applications 463 Using PolicyPak to Manage Application, Browser, and Java Settings 463 Using PolicyPak to Manage Windows Features (and Optional Features) 466 PolicyPak Deployment with Intune (or Any MDM) 466 Interesting Things I Found on the Internet 467 Untested, but Seemingly Useful Scripts 467 Yodamiitti Intune Management GUI 468 Final Thoughts (on This Chapter, and about the Book!) 470 Index 473
JEREMY MOSKOWITZ, is a 15-year Microsoft MVP awardee and is founder of MDMandGPanswers.com and CTO of PolicyPak Software. Since becoming one of the world's first MCSEs, he has performed Active Directory, Group Policy and MDM planning and implementations for some of the nation's largest organizations. His best-selling book Group Policy Fundamentals, Security, and Troubleshooting, Third Edition is on desks of administrators everywhere.