demo overview: managed mobile productivity -...

Managed Mobile ProductivityDemo TrackUpdated: May 16th, 2017

This document is provided “as-is”. Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes.

Deep Dive Demo Guide Managed Mobile Productivity

Table of ContentsDemo Overview: Managed Mobile Productivity..............................................................................................5

Scenarios and Features..............................................................................................................................5Intended Audience..................................................................................................................................... 5Length........................................................................................................................................................ 5Demo Prerequisites.................................................................................................................................... 5

One-Time Demo Environment Setup.......................................................................................................6Secure access to Office 365 and protect data on unmanaged devices..........................................................7

Pre-Demo Steps......................................................................................................................................... 7Mobile Application Management without Enrollment..................................................................................7Demo Reset Steps....................................................................................................................................10

Secure access to Office 365 and protect data on mobile devices, apps, and PCs........................................10Pre-Demo Steps.......................................................................................................................................10

Enroll Device for Conditional Access.....................................................................................................11Mobile Application Management...........................................................................................................13Device Retirement and Selective Wipe.................................................................................................14

Demo Reset Steps....................................................................................................................................15Intune Management – The IT Pro Experience...............................................................................................15

Pre-Demo Steps.......................................................................................................................................15Conditional Access Policies...................................................................................................................16Create a Configuration Policy................................................................................................................17

Demo Reset Steps....................................................................................................................................17Appendix 1: Configure your Demo Tenant...................................................................................................18

Configuring Tenant for iOS Devices..........................................................................................................18Create an Apple ID (if necessary).........................................................................................................18Configure Intune Admin Settings for iOS Device Management.............................................................18

Apply Contoso Branding to Intune Company Portal..................................................................................20Assign Managed iOS Apps........................................................................................................................20Assign Managed Android Apps.................................................................................................................21Create Exchange Online Conditional Access Policy..................................................................................21Configure Device Compliance Policy........................................................................................................21Configure App Protection Policy...............................................................................................................22

Appendix 2: Configure Your Demo Devices..................................................................................................23Mobile Device Requirements....................................................................................................................23Device Setup Steps..................................................................................................................................23

Set Up Device #1 – Unmanaged (iPad or iPhone).................................................................................23Set Up Device #2 – Managed (iPad or iPhone)......................................................................................23

Demo Overview: Managed Mobile ProductivityPeople want to access their corporate applications and stay productive from a variety of devices, both at work and away. Using Intune, organizations can provide their employees with access to corporate applications, data, and resources from virtually anywhere on almost any device, while helping to keep corporate information secure.

Scenarios and FeaturesThis demo guide will cover the following technical scenarios listed below. Please note some scenarios are available as PowerPoint click through demos only as these require a lot of setup to perform live using your demo environment.Scenario & Value Prop Technical Scenario Demo

Resources/LinksSecure access to Office 365 and protect data on unmanaged devices

Mobile Application Management without Enrollment

Deep Dive GuideClick Through Guide

Secure access to Office 365 and protect data on mobile devices, apps, and PCs

Device-based Conditional AccessDeep Dive GuideClick Through Guide

Mobile Application ManagementDeep Dive GuideClick Through Guide

Device Retirement and Selective Wipe Deep Dive Guide

Intune Management – The IT Pro Experience

Configuring Conditional Access Deep Dive GuideCreating a Configuration Policy Deep Dive Guide

Intended AudienceIT Pro, Business Decision Makers, End Users

Length20-30 minutes

Demo Prerequisites A Microsoft Enterprise Mobility + Security (EMS) demo environment provisioned through

demos.microsoft.com portal. See the EMS Demos Getting Started Guide for detailed instructions on creating your own demo environment.

Two iOS mobile devices (iPhone or iPad) running iOS 9 or higher.o One device to demo MAM without Enrollment, and the other to demo MAM with Enrollmento This is due to the time requirement to install the managed versions of the applications

required for the demo and to ensure policy is fully applied to the device.o Android devices are supported as well. For detailed instruction on using Android devices with

Intune, please review this article. A Windows PC running Windows 8.1 or above.

One-Time Demo Environment Setup5

Your demo tenant is pre-provisioned with a lot of content and settings that you can leverage as-is. However, some settings need to be manually configured by you. Please ensure the following activities are performed against your tenant prior to your first demo:1. If you plan to use custom demo personas for your demo, ensure the user accounts are

appropriately licensed for EMS and Office 365. You may use the Office Admin Portal (https://portal.office.com then click Admin tile) to review and modify the tenant subscription and user licensing status.

2. Perform one-time manual setup steps against your demo tenant as detailed in Appendix 1.3. Prepare your demo mobile devices as detailed in Appendix 2.

Important Note: This demo is best performed using two mobile devices (iPad or iPhone). If you have only one device, we recommend you perform Demo 1 (Secure access to Office 365 and protect data on unmanaged devices) using a click-thru guide, and use your device for performing Demo 2 live.

Secure access to Office 365 and protect data on unmanaged devicesPre-Demo StepsPrior to each demo, ensure the following setup steps have been performed in your demo tenant/device. Detailed instructions are provided in the Appendix sections.

Mobile device that is NOT enrolled to Intune. See the Appendix 2 for detailed device setup instructions. If this is not possible, please use the Click Through Guide. Verify that the Conditional Access Exchange Online Policy is not enabled.

o In Microsoft Edge , open https://portal.azure.com and log in with your Global Admin credentials.

o In the left hand navigation, click Azure Active Directory.o In the SECURITY section, click Conditional access.o In the policy list, ensure that Exchange Online Policy does not have a check mark in the

ENABLED column.o If it does, click the policy, set Enable policy to Off and click Save.

Mobile Application Management without EnrollmentSpeaker Script Click Steps

Opening

I think you would agree with me that one of the main capabilities your employees want on their mobile devices is access to their corporate email and documents. And they expect to do it in a fast and easy way without the need of going through multiple complex steps or calling the help desk. IT, on the other hand, wants to keep the corporate data secure wherever it is. Let me show how you can solve both of these problems with Office 365 and EMS.A new capability of Microsoft Intune allows Mobile Application Management (MAM) without requiring the device to be enrolled for IT management: Intune MAM without Enrollment. This is particularly useful for BYOD scenarios where end users don’t want to or can’t enroll their devices for IT management. This capability is also useful in cases where a device is already enrolled in another MDM solution.

This is Isaiah Langer’s personal, mobile device. Perform these steps on an unmanaged iOS device

Speaker Script Click StepsHe occasionally uses it to access his company, Contoso’s corporate data. However, Isaiah has not yet enrolled his device into any MDM solution yet. Let’s take a peek at device settings to confirm this.

If this device was enrolled in a MDM solution, you would see an entry under VPN labelled Device Management, but no such entry exists. So we can conclude this device is not enrolled in a MDM solution

Now that we have verified that the device is not enrolled, open an app that is targeted with Contoso’s MAM without Enrollment policy: the OneDrive app.We have logged in to this app as Isaiah Langer with his corporate identity at Contoso.As you can see, there are a few prompts, some notifying you the apps are being managed to require you to create a 4 digit PIN.Now, we will open a Word document from his OneDrive folder – a corporate location – and see what all is allowed or disallowed by the MAM policy defined by Contoso’s IT Administrator.When attempting to save the corporate document to the local device, we received an error stating “Your administrator doesn’t allow saving to personal locations”. The iPad location here is a local storage space, not considered a corporate location by the MAM policy.

(Device #1).1. Tap on Settings app to open.2. Tap General, then scroll to the bottom.3. Locate the settings group containing iTunes Wi-Fi

Sync and VPN. Note: If the device was enrolled, there would be a third setting in this group – see sample screenshots below.

Not Enrolled to MDM Enrolled to MDM4. Navigate back to the device’s Home screen.5. Open OneDrive app.If prompted to restart the application, please restart the application to apply the MAM policy to the app.6. Tap OK when notified with a message regarding

protection of company data in the app.7. If prompted, type the PIN you set for the app.8. Scroll down, then tap Holiday Web Marketing

Strategies document.9. At the top of the screen, tap the Word icon. The

document will open in Word app.10. In the Word menu, tap File > Save a Copy.11. Tap iPad. 12. Tap Save. Note the prompt that disallows save.

13. Tap OK on the error message.14. Tap OneDrive.15. Tap Save. Note that save is allowed.

Speaker Script Click StepsWhen saving this same document to the corporate OneDrive for Business, there are no restrictions.

Isaiah may still attempt to transfer corporate data through copy/paste. MAM without Enrollment policy can control where corporate data can be pasted to as well.Let’s attempt to paste this data into a new document.As you can see the Paste function is not available in a newly created document.For the Paste function to work, the Word document first has to be saved to an authorized location. Let’s save this document in an authorized location and retest the copy/paste function.

Once the new document is saved to an authorized location, Isaiah’s corporate OneDrive, the paste function appears.Now you are able to successfully paste the contents into the new document.But what do you think would happen if I were to attempt to paste the same information into the Notes app?One would think that MAM w/o Enrollment only concerns itself with the location which corporate data is stored through the use of managed apps.But that is not the case.Not only does MAM w/o Enrollment concern itself with the location where you attempt to save corporate data but also the applications which you try to import/export corporate data to.Although this device is not enrolled in an organization’s MDM solution, the MAM w/o Enrollment policies set by the organization block you from taking data outside of the organization in a variety of different ways – thereby protecting data leakage

16. Tap/hold (1-2 secs) anywhere in the document, then release to reveal copy menu.

17. Tap Select All > Copy.18. On the document menu bar, tap the Back

Button.19. Tap New > Blank Document.20. Tap/hold (1-2 secs) then release anywhere in the

document. 21. Tap Paste.

22. Note the text that is pasted.

23. Tap the File Menu > Name 24. Tap OneDrive – Contoso <tenant> > Save.25. Tap/hold (1-2 secs) on the previously pasted

text then release.26. Tap Select All.27. Tap Paste. 28. Press the Home button.29. Tap on the Notes app.30. In the upper right corner, tap the New Note

icon.31. Click on the cursor.32. Tap/hold (1-2 secs) then release anywhere in the

document.33. Tap Paste. Note the text that is pasted in to the

Demo Reset StepsPerform these steps after each demo presentation to ensure re-usability of this demo environment:Device #1:

1. Delete new Word documents saved to OneDrive.

Secure access to Office 365 and protect data on mobile devices, apps, and PCsPre-Demo StepsPrior to each demo, ensure the following setup steps have been performed in your demo tenant/device. Detailed instructions are provided in the Appendix sections.

A mobile device that is NOT enrolled to Intune. Another mobile device that IS already enrolled to Intune and configured as recommended in the

Appendix. This is due to the time requirement to install the managed versions of the applications required for

the demo and to ensure policy is fully applied to the device. If this is not possible, please use the Click-Through-Guides for Enrollment and Mobile Application

Management. See the Appendix 2 for detailed device setup instructions. Verify that the Conditional Access Exchange Online Policy is enabled.

o In the left hand navigation, click Azure Active Directory.o In the SECURITY section, click Conditional access.o In the policy list, ensure that Exchange Online Policy has a check mark in the ENABLED

column.o If it does not, click the policy, set Enable policy to On and click Save.

Speaker Script Click Steps

Opening

One of the main capabilities your employees want on their mobile devices is access to their corporate email and documents. And they expect to do it in a fast and easy way without the need of going through multiple complex steps or calling the help desk. IT, on the other hand, wants to keep the corporate data secure wherever it is.

Perform these steps on mobile device #1

1. On your device, launch Outlook app.2. Tap Get Started, then dismiss app

initialization/welcome messages, if necessary.3. If prompted for notifications tap No Thanks.

Enroll Device for Conditional AccessWhen employees add their corporate Office 365 account in the Outlook app, they expect to get access to all of their email, but with EMS you can enable conditional access which ensures that employees access corporate email only from

Speaker Script Click Stepsmanaged and compliant devices.

As you can see here, they are blocked and are informed that in order to get access they need to first enroll their device to Intune.

Enrollment is performed via the Intune Company Portal app. The app is already installed on this device, so the user can launch straight in to the enrollment process.

Employees need to login with their corporate Azure AD identity (same credentials one employees would use to access email), and go through the standard iOS enrollment process that includes applying a management profile and certificates for secure communication between the device and Microsoft Intune.

There are few things are happening behind the scenes here. First, Intune gets device information without collecting personal data since this is a

4. Enter the email address: IsaiahL@<tenant>.onmicrosoft.com

5. Tap Add Account.6. Sign in with the tenant password.7. Tap Sign in. Note the Conditional Access policy

message that blocks access to email:

8. Tap Enroll.9. Tap OPEN to launch Microsoft Intune Company

Portal app.10. Log in to Intune Company Portal as

IsaiahL@<tenant>.onmicrosoft.com and tap Sign in.

11. On Company Access Setup page, tap Begin.12. Tap Continue twice to skip the introductory

pages.13. On What comes next? page, tap Enroll. You will

be directed to the built-in iOS Settings app. Complete the enrollment steps: On Install Profile page, tap Install. Enter device passcode (prompted only if device

currently has a passcode).

Speaker Script Click Stepspersonal device. Next, Intune also registers this device with Azure AD, so now both Intune and Azure AD know that this device belongs to this employee which is useful for a few other scenarios when the employees want to access corporate resource from this device. Intune also starts to deploy and enforce device settings like password requirements, resource access profiles such as WiFi and VPN, certificates, and applications.

Once the enrollment is completed, employees need to ensure that their device is compliant with the corporate policies. This is a great solution since employees get access to email with just few simple steps but IT is also happy because the corporate data is accessed only from managed devices.

So far, I showed you that you can require your employees to get their devices managed by Intune in order to get access to corporate resources such as email and documents.

Tap Install. On Warning page, tap Install. On Remote Management dialog, tap Trust. On Profile Installed page, tap Done. Tap Open to open the page in the Intune

Company Portal app. On Company Access Setup page, tap Continue. Tap Done to complete Company Access Setup. You should now see the Intune Company

Portal home page.

14. Press the device’s home button. If your device does not have a PIN, you’ll see a Passcode Requirement dialog where you must set one within 60 minutes.

15. Tap Continue, then set a new device passcode. If your device has a passcode currently, you’ll be prompted to type that in first.

Tip: For a complex, 4-character passcode, use 1111 so it’s easy to remember.16. Tap Outlook to return to app.17. Tap the back arrow to return to the Add Email

Account page.18. Tap Sign In with Office 365.19. Login as IsaiahL@<tenant>.onmicrosoft.com.20. Tap Maybe Later on Add Another Account

page.21. Tap Skip on the Focused Inbox page.22. Note the Inbox is now populated with IsaiahL’s

emails from Exchange server.

Mobile Application ManagementOnce the device is enrolled, employees are now able to access the Intune Company Portal app.

Through the Intune Company Portal app, you also have quick access to IT Support information.The Intune Company Portal app provides access to install managed applications. These apps could consist of corporate line-of-business applications or apps available through the public app stores.Intune is able to manage and enforce app restrictions for Office mobile apps and other 3rd

Note: Perform this demo on your enrolled device (#2): the device that you ended up with at the end of the setup in Appendix 2.1. Launch the Company Portal app on your Intune

enrolled mobile device.2. Scroll up/down the screen and show custom

branding and IT Support info.

3. Tap All Apps to reveal available apps.

Speaker Script Click Stepsparty productivity apps on both iOS and Android devices. Thus, increasing the productivity and collaboration capabilities of employees while protecting and securing corporate data.Now, let’s take a look at data protection with Mobile Application Management policies.Mobile Application Management policies not only manage the apps but also all corporate data being accessed by a user’s corporate credentials. Through these policies, features such as copy/cut/paste/save are thoroughly controlled. Essentially, not allowing a user to perform such actions in unauthorized apps or locations.To gain a better understanding, let’s take a look at the Northwind Proposal document attached in Alex Wilber’s email.

First, let’s test the copy/paste function in a new email.

In Isaiah’s personal email account, the paste function is not available.Now to see if the same function is available in his corporate email account.

As expected, the copy/paste function is available through Isaiah’s corporate email account, thus ensuring that corporate data is only sent via authorized accounts. What would happen is someone tried pasting this information into a unmanaged app, such as

4. Press home button to close the Company Portal app.5. Launch Outlook app (which is now configured with

2 email accounts).

6. In Isaiah’s corporate inbox, scroll down and tap on an email from Alex Wilber (subject Northwind Proposal).

Tip: You may open any email in the user’s corporate inbox with a Word document attachment.7. Tap on the attachment file name to preview

contents.8. Tap Word to open the document in Word.9. On a text paragraph, tap and hold, then Select.10. Drag the handles to select the whole paragraph.11. Tap Copy.12. At the top left, tap Back to Outlook.13. Tap Close to dismiss document preview.14. Tap compose new email icon.15. Tap on the email address label at top of the

screen, and tap on personal mail account to switch.16. In the message body (whitespace) tap and hold

to reveal paste option. 17. Click Paste and note paste text is not the

corporate content.18. Tap on the email address label at top of the

screen again, then switch to Isaiah’s corporate account to switch.

19. In the message body (whitespace) tap and hold for a second to reveal Paste option, then tap Paste.

20. Discard the email message (by tapping X icon, then confirming Delete draft).

Speaker Script Click StepsNotes?

As you can see, the paste option is shown in Notes, an unmanaged app, however, no content is pasted when the user selects that action.Again this ensures that corporate information is kept in authorized locations only.Lastly, let us look at the save function.

To do so, we will use the same attachment but open it in Word.

Let’s first attempt to save this document to Isaiah’s personal Dropbox and review the results.

It seems we are not allowed to perform this action due to the MAM policies in place.However, when attempting to save this same document to Isaiah’s corporate OneDrive, the action was seamless and allowed.

21. Press the home button, then launch the built-in iOS Notes app.

22. Create a new note and attempt to paste (tap + hold on whitespace.) Note you will not be able to paste the corporate content (even if Paste option/menu item is visible).

23. Double-press the home button, then return to Outlook app.

24. Back in the Northwind Proposal email, tap the attachment to open the document preview.

25. Tap Word to open the document in Word.26. Tap the File menu icon in Word app, then Save

a Copy.27. Tap Dropbox.28. Tap Save.29. At alert box with message: “Your

administrator doesn’t allow saving to personal locations.” tap OK.

30. Tap OneDrive - Contoso, then Save.

Device Retirement and Selective WipeLet’s imagine a scenario where the Employee decides to un-enroll the device from Intune. Perhaps the employee is no longer with the company, or the employee wants to no longer use the device for work. What will happen to the corporate data in the device?Intune provides a way for the end user to retire the device by un-enrolling from Intune. The selective wipe policy will destroy all corporate data from the device, but leave personal data intact.Intune also allows an IT Administrator to retire devices remotely from the Intune management portal. Furthermore, the Administrator can remotely perform full device wipe, remote lock, and passcode reset capabilities to help secure data on lost or stolen devices. You issue these commands from the Admin console.

1. Launch Comp Portal app.2. Under My Devices, tap the icon for your device.3. Tap Remove button at the bottom.4. Tap Remove again to confirm.5. Press the home button to return to device home

page.6. Launch Outlook app.7. Note the App Wipe alert message, then dismiss it.8. Dismiss login prompts for IsaiahL’s corporate O365

credentials.9. Note the Outlook inbox still has Isaiah’s personal

mails.

Demo Reset StepsPerform these steps after each demo presentation to ensure re-usability of this demo environment:

If the IT Pro demo is not being shown, ensure that the Conditional Access Exchange Online Policy is not enabled.

Device #2:1. Browse to IsaiahL’s OneDrive Pro for Business web site (https://<tenant>-my.sharepoint.com/,

logged in as IsaiahL) then delete the Northwind Proporal document from the root.2. Go through steps of Setup Device #2 in the appendix so the same device is ready for your next

demo. You may skip the steps where the configurations from prior runs are already there (e.g. Dropbox setup, personal inbox setup, etc.)

Intune Management – The IT Pro ExperiencePre-Demo StepsThis section focuses on IT Pro/administrative tasks for Intune management.

1. Verify that the Conditional Access Exchange Online Policy is enabled. In Microsoft Edge , open https://portal.azure.com and log in with your Global Admin

credentials. In the left hand navigation, click Azure Active Directory. In the SECURITY section, click Conditional access. In the policy list, ensure that Exchange Online Policy has a check mark in the ENABLED

column. If it does not, click the policy, set Enable policy to On and click Save.

2. Navigate to the Azure Portal: https://portal.azure.com.3. Log in with your demo tenant’s global admin’s credentials. 4. In the left navigation pane, click More services.5. In the filter text box, type Intune and click Intune in the search results (not Intune App Protection).

Conditional Access PoliciesHow difficult is this to configure for the IT Admin? Typically, this is a challenging project that often requires email gateways, servers in the perimeter network, lots of configuration, and custom scripts. Due to our cloud architecture, we significantly reduced the complexity, and made it very easy to configure.

1. Bring up the browser session with the Microsoft Intune blade.

There are only 2 things the IT needs to do to enable conditional access.

First, we define a compliance policy in Intune Admin Console which basically checks to verify, if the device is healthy or not. As you can see, there are multiple settings that can be checked on the devices running Windows, Windows Phone, iOS, and Android.

Second, we enable the conditional access policy. In this example, it is enabled for Exchange Online. The appropriate restrictions and targeted groups are configured. Now employees in these groups need to have their devices enrolled and healthy in order to access the email.

2. Click Device Compliance.3. Under MANAGE, click Policies.4. Click Enterprise Compliance Policy and click

Properties.5. Review some of the settings in the policy by clicking

on Settings and clicking on each of the categories:a. Emailb. Device Healthc. Device Propertiesd. System Security

6. Click X on each open blade until back at the Microsoft Intune overview blade.

7. In the list, click Conditional Access.8. In the list, click Conditional Access in Azure

Active Directory.9. Click Exchange Online Policy.10. Click on Cloud Apps to show Exchange Online

is selected.11. On the Exchange Online Policy blade, under

Access Controls, click Grant to show the requirement for compliant device.

12. On the Exchange Online Policy blade, point to Enable Policy setting.

13. On the Exchange Online Policy blade, click Users and groups to show the selected groups.

Create a Configuration PolicyIn Microsoft Intune, configuration policies are groups of settings that control features on computers and mobile devices. You create policies by using templates that contain recommended or customized settings, and then deploy them to device or user groups. In these demos, I will show you a variety of policy setting for managing mobile devices.

You add all configuration policies the same way. The only difference is that you choose different policy templates, depending on what you want to manage. Within each type of profile there are a whole variety of configuration settings, from device restrictions to configuring Wi-Fi and VPN settings for devices.

1. Click X on each open blade until back at the Microsoft Intune overview blade.

2. Click Device configuration.

3. Click Profiles.

4. Click + Create profile.

5. Set the Name to Enterprise Device Profile.

6. In the Platform drop down list, select iOS.

7. Review some of the options in the Profile Type drop down list.

8. In the drop down list, click Device restrictions.

9. Review the categories of restrictions.

10. Click-through categories of interest.

11. When finished, click X on each open blade until back at the Microsoft Intune overview blade, clicking OK if prompted to discard edits.

Demo Reset StepsPerform these steps after each demo presentation to ensure re-usability of this demo environment:

To enable future MAM without Enrollment demos, ensure that the Conditional Access Exchange Online Policy is not enabled.

Appendix 1: Configure your Demo TenantThese steps need to be performed only once per demo tenant, and are required prior to performing demos or configuring devices for demoing.

Configuring Tenant for iOS DevicesEstimated Setup Time: 15 minutesBefore you can manage iOS mobile devices with Intune, you need an Apple Push Notification service (APNs) certificate. This certificate allows Intune to manage iOS devices and establish an accredited and encrypted IP connection with the mobile device management authority services. These steps need only be performed once per tenant. Perform these steps on a Windows 8.1 (or higher) device (not an iOS device) using Internet Explorer or FireFox browser. There are two major steps for this configuration:

Create an Apple ID (if necessary)You may use your existing Apple ID, if you have one, and skip this section.1. Navigate to the following URL https://appleid.apple.com/ and click Create your Apple ID.2. Fill in the My Apple ID form as required. Sample values provided below – feel free to use your own

values. Email: admin@<tenant>.onmicrosoft.com (replace <tenant> with appropriate value) Password (example): Contoso1 First Name: Demo Last Name: Admin

Birthday: (fill in as appropriate) Choose the 3 security questions from the drop-downs and answer them as appropriate. Country: (fill in as appropriate) Uncheck Email preference options Type in the captcha text as you see on the screen

3. Click Continue.4. To verify your email address:

Browse to https://outlook.office365.com/. Log in with your Domain Admin credentials (same account you used for Apple ID above). Locate the email from Apple with subject Verify your Apple ID , then make a note of the

verification code in the email. Return to the Apple ID page and enter the verification code from the email.

Configure Intune Admin Settings for iOS Device Management5. Navigate to the Azure Portal: https://portal.azure.com.6. Log in with your demo tenant’s global admin’s credentials. 7. In the left navigation pane, click More services.8. In the filter text box, type Intune and click Intune in the search results (not Intune App Protection).9. Click Device Enrollment.10. Click Apple Enrollment.11. On the Apple MDM Push Certificate tile click Click to set up.12. In the list of Steps, click Download your CSR.13. In the list of Steps, click Create your MDM push Certificate. You will be taken to Apple Push

Certificates Portal web site.Note: If you closed the previous browser session and are prompted for login, provide the Apple ID credentials you set up earlier.

14. Click Create a Certificate.15. Accept Terms of Use by checking appropriate box and clicking Accept.16. In the Create a New Push Certificate page, click Browse… under Vendor-Signed Certificate

Signing Request.17. Point to the .CSR file you saved to your local computer earlier (in step 8 above) and click Open.18. Click Upload.

o If you see a prompt to download a .json file, ignore it.o If you are not re-directed to a new page after 30 seconds, click Cancel, which will take you

to Apple Push Certificates Portal page.

19. Click Download to download the Mobile Device Management certificate. Save the file to a local folder on your PC with .pem file extension.

20. Return to Azure Portal > Configure MDM Push Certificate page.21. In the Apple ID text box, enter the Apple ID used to sign in to the Apple Push Certificates Portal22. On step 4, click the browse icon, browse to the certificate you downloaded earlier (.pem file), and

click Open.23. Click Upload.Your demo tenant is now ready to accept iOS devices for enrollment!

Apply Contoso Branding to Intune Company PortalEstimated Setup Time: 3 minutes

1. If necessary, log in to the Azure Portal (https://portal.azure.com) as your demo tenant’s Global Administrator.

2. In the left navigation pane, click More services.3. In the filter text box, type Intune and click Intune in the search results (not Intune App Protection).4. Click Mobile Apps.5. In the SETUP section, click Company Portal branding.6. Fill in the form as follows:

a. Company Name: Contosob. IT department contact name: IT Adminc. IT department phone number: 800-555-1234d. Support website URL: https://<tenant>.sharepoint.com/sites/contoso/Employee/ITWebe. Website name: IT Webf. Check the box for Show company logog. For Select a logo to use on light backgrounds, click the Browse icon.h. In the file name text box enter

http://emsassetspub.blob.core.windows.net/demoassets/Logo.png and click Open.i. For Select a logo to use on dark backgrounds, click the Browse icon.

j. In the file name text box enter http://emsassetspub.blob.core.windows.net/demoassets/Logo.png and click Open.

k. Set Show company name next to logo to unchecked.7. At the top of the blade, click Save.

Assign Managed iOS AppsEstimated Setup Time: 15 minutes

2. In the left navigation pane, click More services.3. In the filter text box, type Intune and click Intune in the search results (not Intune App Protection).4. Click Mobile Apps.5. In the MANAGE section, click Apps.6. Click on the line for Excel on the iOS platform.7. In the MANAGE section of the App blade, click Assignments.8. Click Select groups.9. In the search text box, enter sg-, and click sg-Sales and Marketing in the results.10. Click Select.11. In the Type drop down list, select Available and click Save.12. Click on the X to close the blade for Excel – Assignments.13. Repeat steps 6 to 12 for the following iOS applications:

Managed Browser OneDrive Outlook PowerPoint Word

Assign Managed Android AppsIf you wish to demo using Android devices, you can follow the same steps as above to published Android applications in the Intune Company Portal.

Create Exchange Online Conditional Access PolicyEstimated Setup Time: 5 minutes

1. In Microsoft Edge , open https://portal.azure.com and log in with your Global Admin credentials.2. In the left hand navigation, click Azure Active Directory.3. In the SECURITY section, click Conditional access.4. If Exchange Online Policy does not exist, click + New Policy and configure it as follows:

a. Name: Exchange Online Policyb. Users and Groups: sg-Sales and Marketingc. Cloud apps: Office 365 Exchange Onlined. Grant: Require device to be marked as compliante. Enable policy: Off

5. Click Create.

Configure Device Compliance PolicyEstimated Setup Time: 5 minutes

2. In the left navigation pane, click More services.3. In the filter text box, type Intune and click Intune in the search results (not Intune App Protection).4. Click Device Compliance.5. Under MANAGE, click Policies.6. Click + Create Policy.7. Set the Name to Enterprise Compliance Policy.8. In the Platform drop down list, select iOS.9. Click Device Health.10. Set Jailbroken devices to Block and click OK.11. Click System Security and set the following values:

a. Require a password to unlock mobile devices: Requireb. Minimum password length: 4c. Require password type: Numeric

12. On the System Security, click OK, and then on the iOS compliance policy blade click OK.13. Click Create to finalize the policy.14. In the list of policies, click Enterprise Compliance Policy, then click Assignments.15. Click Select groups.16. In the search box, type sg-.17. Select sg-Sales and marketing and click Select.18. At the top of the blade, click Save.

Configure App Protection PolicyEstimated Setup Time: 5 minutes

2. In the left navigation pane, click More services.3. In the filter text box, type Intune and click Intune in the search results (not Intune App Protection).4. Click Mobile Apps.5. In the MANAGE section, click App Protection Policies.6. In the policy list, click iOS ODFB-Word Protection Policy.7. Click User Groups and ensure policy is assigned to sg-Sales and Marketing.

a. If not, click Add user group.b. In the search box, type sg-.c. Click sg-Sales and Marketing, then click select.

8. Click Targeted apps and ensure Word and OneDrive are checked.a. If not, check Word and OneDrive and click Save.

9. Click Policy settings and ensure the following settings are set:a. Allow apps to transfer data to other apps: Policy managed appsb. Prevent “Save As”: Yesc. Select which storage services corporate data can be saved to:

OneDrive for Business SharePoint

d. Restrict cut, copy and paste with other apps: Policy managed apps with paste ine. If changes were made, at the top of the Policy settings blade click Save.

Appendix 2: Configure Your Demo DevicesThe demo configuration and documentation has been written for and tested against iOS devices. Android devices are supported as well but demo steps have not been specifically provided. For detailed instruction on using Android devices with Intune, please review this article.

Mobile Device Requirements iOS (iPad or iPhone) running latest versions of iOS 9 or above.

o Ideally, two such devices to be able to perform Demo 1 and Demo 2 back-to-back without setup time in between.

o This is due to the time requirement to install the managed versions of the applications required for the demo and to ensure policy is fully applied to the device.

Ensure devices are free of the following apps (delete these apps if they exist in the devices currently):

o Outlook for iOSo Word for iOSo OneDrive for iOS

If feasible, perform a factory reset of the devices.

Device Setup StepsEstimated Setup Time: 30-45 minutesSet Up Device #1 – Unmanaged (iPad or iPhone)You will perform the MAM without Enrollment and Conditional Access demo (Demo #1 and #2) on this device, hence the setup requirements are minimal.

1. Go to the iOS App Store and search for Microsoft Intune.2. Download/install the apps Microsoft Intune Company Portal, Outlook, OneDrive and Word.

You can use any Apple ID to sign in to the App Store, or you can use the created in Appendix 1.

3. Sign in to OneDrive and Word as IsaiahL@<tenant>.onmicrosoft.com.4. You may be prompted to restart OneDrive and sign in again so that management policies can be

applied.5. You will be required to set a PIN on the device, configure it to something memorable.6. You will also be required to an application level PIN for OneDrive, so configure it to something

memorable also.Set Up Device #2 – Managed (iPad or iPhone)You will perform the Mobile Application Management demo (Demo #2) on this device.

1. Go to the iOS App Store and search for Microsoft Intune.2. Download/install the app Microsoft Intune Company Portal.3. Launch the app (will be labeled Comp Portal).4. Sign in to Intune Company Portal with the following account: IsaiahL@<tenant>.onmicrosoft.com

TIP: copy the account email address in your device’s buffer so you can paste it easily later, instead of typing it each time!

5. On Company Access Setup page, tap Begin.6. Tap Continue twice to skip the introductory pages.7. On What comes next? page, tap Enroll. You will be directed to the built-in iOS Settings app. 8. On Install Profile page, tap Install.9. Enter device passcode (prompted only if device currently has a passcode).10. Tap Install.11. On Warning page, tap Install.12. On Remote Management dialog, tap Trust.13. On Profile Installed page, tap Done. 14. Tap Open to open the page in the Intune Company Portal app.15. On Company Access Setup page, tap Continue.16. Tap Done to complete Company Access Setup.17. You should now see the Intune Company Portal home page.18. When prompted to set up a password or PIN code, set a PIN for the device.

Note: Remember the PIN as it will be required for the demo.19. Back in Intune Company Portal app, tap All Apps.20. Tap on each of the following apps then Install (note: for each app, you’ll see App Installation

confirmation pop-up message after 10-20 seconds. Tap Install to confirm). Outlook (required for demo flow) Word (required for demo flow) PowerPoint (optional but recommended) Excel (optional but recommended) OneDrive (optional) Managed Browser (optional)

Note: Depending on your internet speed, it may take 10-30 minutes for these apps to finish installing to your device! Sometimes, for the larger apps (Word, Excel, PowerPoint), the Company Portal will time out and report that they have failed to install, even though installation is still progressing. If installation is not progressing, you can tap on the alerts in the Company Portal to retry installation.

Setup Outlook/Emails/Dropbox:21. When Outlook app has finished installing, tap on its icon to launch it.22. If prompted to set up a numeric pin, tap an easy to remember 4-digit number, e.g. 1111.23. Tap Get Started, then No Thanks.24. On the Add Email Account page, paste Isaiah Langer’s corporate email address

(IsaiahL@<tenant>.onmicrosoft.com) and tap Add Account.25. Type in IsaiahL’s password then tap Sign in.26. Tap Maybe later, then tap Skip.27. Tap Settings at the bottom of the screen, then + Add Account.28. Tap Add Email Account.29. Enter your personal demo email credentials and select/copy the email address in clipboard

memory (for use later).23

30. Tap Add Account.31. Type the password, then tap Sign in.32. Tap Settings at the bottom of the screen, then + Add Account.33. Tap Add Storage Account, then tap Dropbox.34. In the Dropbox sign in page, enter your personal demo Dropbox credentials then tap Sign in.35. At the prompt tap Allow.Setup/Configure Word36. In Isaiah’s corporate inbox, scroll down and tap on an email from Alex Wilber (subject Northwind

Proposal).37. Tap the email attachment to open the preview. 38. Tap Word to open the document in Word.39. If this is the first time you’re launching Word app on this device, you’ll see several welcome

messages and tips. Dismiss all such messages.40. When the document opens, tap Sign In, and log in with IsaiahL’s credentials.41. Tap the File menu icon in Word app, then Save a Copy.42. Tap Add a Place.43. Tap Dropbox.44. In the Dropbox login page, enter your personal demo Dropbox credentials then tap Sign in and

45. Close the Northwind Traders Proposal document by tapping the exit icon, .You have now successfully set up and smoke tested your demo tenant and demo devices. We recommend you proceed with a run-through of the demo steps to familiarize yourself with the demo.

demo overview: managed mobile productivity -...

Documents

on the selection of qos provisioned routing protocol through...

demo: dot_product_reflect demo: dot_product_reflect_torus

virtual organization clusters: self-provisioned clouds on...

using video assignments to support remote learning · how...

document versions -...

stay or go? participation in under-provisioned video...

customer provisioned networks - telekomunikacije

self-provisioned fiber planning · this presentation is...

transitioning science & technology programsengineering and...

amazon provisioned iops for rds

demo overview: information protection -...

business models for dynamically provisioned optical networks

optimize hitachi storage and compute platforms in vmware...

interop provisioned its network in minutes

demo dimensione ridotta · demo dimensione ridotta demo...

provider provisioned overlay networks and their utility in

infrastructure as code für anfänger - xp days...packer...

karel benadie, karoo national park, south africa...efg demo...

prerequisites -...

spyglass: demand-provisioned linux containers …...