2023E06 - iOS Provisioning (I.T)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello and welcome to another episode of intune.training the place to learn how to use Microsoft InTune the Steve and Adam show with Steve and Adam I'm Steve hey Steve what's up buddy ah not much about yourself hanging in there let's just act like we haven't been talking for the last two hours what are you talking about we haven't been let's catch up this is new and we're having a lot of fun here that's right well yeah hello audience um I just want to say uh thanks for those of you who have been joining us for the new reboot on the channel we've gotten lots of really great feedback um so keep keep the comments coming I think for for like five years worth of videos this is the highest number of comments and likes and things that we've had consistently on our content so I we at least feel like you guys are engaging more um I don't know if you're liking it more or not but but you're at least commenting more and giving us uh telling us what you want to see so appreciate it keep it coming yeah definitely um okay so today we are going to continue our journey down the uh device provisioning path so in in now it doesn't matter really which order you're watching these in except maybe this one matters a little bit so we're going to release a Mac OS video or we will have released it by the time you watch this yeah we we oops just a little bit we had hoped to break these into the right chunks but anyway on the Mac OS video we talk we talk through all of the Apple business manager integration components that tie into InTune those are all going to be prerequisites for the steps that we're going to do tonight today whatever whatever whatever time it is now in this video in this video um so you'll need to go and and walk through the Mac OS provisioning even if you're only doing iOS sorry about that um we could reboot reboot again but and just go watch the other one um we're gonna screw up like this other times this is just gonna this is how it is so um go watch it if you're new to the channel this is normal yeah yeah this is absolutely normal um so go watch those videos that video um get up to speed on all the bits and pieces that go into uh getting your Apple business manager connected to InTune so the video tonight today this at this moment is going to uh focus on provisioning your iOS mobile device so um Steve's got an iPhone over there and um we are going to um get it get all the basic pieces configured and set up so that we can get this thing provisioned and manage by InTune so right off the top to save all the comments and the questions around our setup of what we actually have configured to capture the videos from the device because we'll be doing ask this question but go ahead Steve every single time we get a question on it so what we have set up here is an item mini from Blackmagic designs uh with the not sponsored but we we will take your money if you want to send us some um and then we have the apple lightning 2 HDMI adapter that is required at the moment you don't you don't have an iPhone 15 with USBC Steve I I'm not lucky enough to have an iPhone 15 yet literally went on pre-sale today so we should put some hashtags in this video so that we get more clicks around I sure iPhone 15. yeah anyway here we go I run 15 into intunes so Steve's using an ATM mini uh and uh Lightning to HDMI cable to set up so we can watch this and then we recording it and presenting it back using a product called OBS that renders for onto a second screen so it can actually see it all day I know this is probably not the stuff you want to talk about but it's the conversation we have quite often because there's no easy way to capture the image of an iPhone or an Android this is how you do it and let's face it sometimes you do need to record this or demo this for people in your company and you want to do this so you know uh there's you know great options there um feel free to email um it's Steven Dot go pick go ping him on Twitter Cloud guy um if you've got more questions around that stuff he will love it uh you will regret it um but go ahead he never shuts up about it okay let's go so let's let's let us provision an iPhone now cool so what I'm going to do is I'm going to quickly share my screen Adam um let me set up the right display so the reason why I'm going to do it because I have apple business manager set up in my environment um and I can't log in we're not going to go down that route so what you'll note is we have our list of mobile phones we went through setting up the Apple business manager previously as Adam aforementioned and today we're going to be working on my iPhone XR if you have new newer devices we won't say no to donations um so if we go here and we're going to go and select our new MDM server and we're just going to continue uh what we're saying is we're assigning that device to the InTune training MDM tenant now as you're doing that I would like to point out that there is a setting uh within the Apple business manager configuration where you can set the default MDM server um for newly purchased newly added devices and when you do that uh then you wouldn't need to go in a manually assign he's got to unshare because it's going to show pii whenever he does this so stand by yeah as if we've been down this path before um so so this is where your MDM service you can go to your MDM server assignment and he hit edit and you can go on a side where you want each of these to go and what you can do what you will note is there's and I just want to call it out is there's iPod and Apple tv both of those don't pull into the InTune management space today or probably ever at least I'm sure we'll go with that although I think the iPod should work because it's just using iOS whether it's supported iOS that's a good question Apple TV is running a separate operating system that InTune doesn't have support for today cool all right so we've got a device uh uploaded now okay so for for the folks that maybe aren't connected or they don't have um their their purchasing connected to ABM how would someone enroll a device into ABM so what you would use is on an any other iPhone you go and install the Apple configurator application uh in your admin account and from there you can then go and use it like you would your Apple watch or any other device to be able to capture that and connect it in so what we'll do is we'll actually go through that in a later video because there's a step that's let's get the device actually registered with the assumption that it's there and then we can talk about using Apple configurator at a later date because there's some other really cool features associated with that with and that's and that's a new change that didn't exist when we went through this first time because you had to use a Mac to do it and all this other stuff so this is a good a good deal yeah and obviously you can still use the Mac scenario but you can now do it without all of that and it makes your life super super simple so this is where we're going to talk through that maybe when I get my hands on a iPhone 15. um and we'll go through that process so that's just where that one scenario is at and how that all works maybe we should hold it hold a raffle on the channel uh but then we reverse raffle we win yeah how do we make that work I don't know I believe it's called donations [Laughter] all right carry on Sir cool so we've got our device registered now and we're saying to go to the InTune tenant over here in InTune what we're going to do is we're going to go to devices and you'll note that we're using the new device name because we're going to try and push ourselves to use that if we select iOS and iPad OS you'll see that we've got zero devices there we're going to select that you'll note that there's no Max there either that's because I've moved and repurpose that device from last week um I I'm not lucky enough to have multiple packs from there we're going to select the iOS and iPad OS enrollment and the thing to note is IOS and iPad OS fundamentally the same but nuanced differently um so there are functionality that exists in iPad OS that doesn't exist in iOS and vice versa but from a provisioning of applications configuration and enrollment for the most part it's going to work exactly the same and unless you explicitly say don't do iPad it's going to go and apply to your iPad devices so it's it's important thing to understand so last week we went through and we set up that enrollment program token and you'll see that we've still got that there for Apple business manager so that's set up for our all Apple devices uh when we step into here we then will see that we've still only got one device removed and one device ready for enrollment so if we go to devices you'll see that we still only have our Mac OS device this we can delete because it's not in the profile anymore but we'll leave that for the moment before we go through and do our sync we're going to go and create our my iOS iPad OS policy the reason is because we want to make sure that policy exists before it goes and calls into the MDM provider so we don't have the same issue we had with Mac OS where it picked up no profile so in here we're going to go iOS default profile and the thing to note that we're talking through here is we're saying these are managed devices these are corporate owned devices we'll in a later video talk through the process of doing the BYOD or the the light touch scenario but this is where we're sitting there and saying we're doing a fully managed device and I think that's important to call out obviously so we're assuming that it's always going to be user Affinity in our model because we like the user Affinity but you can go and use without user affinity and do some cool stuff and then there's the shared mode as well where you can do SSO and it gets even more complicated but for what we're using today is we're going to use the enrolled user affinity and we're going to go and use setup assistant with modern Authentication So Adam do you know the difference between all three of these um so one of them uh so okay so the company portal would mean that we would basically provision we would we would get about get a get a device and go through the setup then we would go install company portal manually from the App Store as we're already logged in with our personal Apple ID or whatever and then you'd go to company portal to go and enroll no no no okay so no I don't have a clue so this is where if you select company portal we're not going to allow you to do anything on that device until you've signed into the company portal application so you'll go through the out-of-box process it'll say that you're an organization but then it'll go it's locked until you go through company portal so basically the the enrollment experience would be company portal and setup assistant would be essentially the look and feel the same all the way through with the exception that the company portal Mode still would require you to go to company Portal sign in the first time yeah and there's a period of time where we'll just sit there and go you can't use this device until company portal setup interesting this is where using the setup assistant with modern authentication is the better way of doing that because what we're saying is we're going to do it natively with the Apple engine and go through that whole process why you need to select with modern authentication is because we want to make sure that MFA and conditional access policies are here too whereas the Legacy one doesn't handle that correctly all right so but you're saying that the company portal method is not as As Nice of an experience yep that's correct but then later with the other method here with this one the user would have to go sign into company portal at some point I don't believe so it'll automatically download the profile and set everything up so we've already set up our VPP so for those who have playing along at home VPP is the volume purchasing program from Apple we've deployed those applications and if we go up here let's quickly triple check if we go to our apps and businesses so that we're back in the Apple business manager portal uh we're now going to go here and the most important application we're going to use in this scenario is going to be the aforementioned company portal the reason for that is because it gives us visibility of everything that's going on the device we try to do this for the Mac OS video last time and I got backwards and confused and basically there is no company portal VPP app for Max correct but there is one yeah you should put it by our script yeah for iOS there's a lot more controls and what you'll note here is all of the additional iOS apps and there's the aforementioned apple configurator as well and we've got that published into our application and available so we'll be able to deploy that in our later videos as well so we've got our double check the location because isn't that our old location or is it the new one no so these locations are separated from the MDM so how Apple business manager works is you create a location for each organization basically that you're wanting to run inside your your tenant um or if you have different managers a different in tune or MDM platforms for different sites is this where you can sit there and create that separation of no I just I really just make sure I that we don't have our old our old MDM as the location this is the new one now okay yeah yeah okay because it's tied at a lower level okay cool yep yes Steve's on the ball yeah I'm asking all the questions it's all good that's important questions to ask right so now we've gone and we're going to say yep we're using our admin at engine training.apple id.com uh hopefully it'll still work from here is it supervised yes or no so supervised means that um basically you can do more controls but you can't change without resetting the device this is where you've got a corporate owned device and you don't want your organ your staff members to be able to remove the ancient policies scenario and then you've also got the whole locked which means that you can't remove it so supervised means that they can't change it uh lock trains they can't remove the profile we can enable whether we're going to allow sync with computers I'm going to say sync and allow because in our scenario we may need to reset the device and things like that using the Apple which will make our life a lot easier otherwise what you can do is you can go with apple by certificate and then you upload a certificate to go hey Apple configurator has the ability to connect and this is where you can put those controls in place so we're going to set that to allow all a weight final um and this is where we're sitting there and going don't allow sign in until or don't allow usage of the device until provisioning is complete you can actually sit there now and go no and get your staff member up and running a lot quicker which is awesome that's that's same kind of deal we can do with autopilot and waiting for provisioning the ESP to finish and all that yeah so these components here are all brand new from when we last looked at this even 12 months ago it's really awesome you can now go in here as a supervised device and put a device name on there automatically so you don't have a list of iPhone all the way down your list and then having to figure out the serial number associated to that so this is going to make life a lot easier for your admins and then you can go in here and you can do that cellular activation where it'll automatically activate a plan for you obviously this will be based upon a URL that your organ your provider has provided to you we don't have that we're not lucky enough so we're going to skip oh okay I thought that would just do the default okay just literally just copy it off the screen hey whatever it would much prefer to watch you miss type it yes thank you Adam you're welcome you get to be critical this week I was critical last week cool that's what we do exactly so this is now where you can go in and set your department and department phone this is how you provide support to your end user when they go through that about config page and things like that previously this was one for your whole organization and for some reason some people didn't like that so now you can do it by department and you create a separate profile for each department and assign the device to that so we're going to call this the exact ly and the phone number is going to be five five eight six seven five three or nine eight six seven five three oh nine five three zero nine okay it's that song no oh come on um and then we can go through and we can do a whole heap of stuff here so we don't definitely don't want device device migration because we don't need it we don't need Android sorry I did the same last time let's start from the top and we'll come down to the bottom passcodes location services they're useful we definitely want passcodes uh we don't want to restore uh we're going to leave Apple ID because we like when we have managed Apple IDs ish we have terms and conditions we don't we're going to Auto accept those we're going to automatically handle diagnostic data and send that up display tone I definitely want to prompt they want darker light mode privacy we're going to hide um we're going to hide the Sims set up there you go helping you out that's the name of the song okay the artist it's important it's important yes um cool all right so go back up uh so the location services just want to point this one out um so we talked about it a little bit in the last video but if you don't make it through that one uh the um this one's important because if you and it's it's even still important that you make sure that the user accepts it uh so if you set it to hide any of these things that you set to hide um it defaults to the to the more privacy phase restrictive the most restrictive privacy settings um so if you set it to hide it's not going to enable location services unless you go and send out a policy separately for it can you force that later in an iPhone I believe so I don't think so but okay that'd be neat if you could um but I know that if you have this set to show it allows the user to still say no I don't want to do my location but if you set it to hide it turns it off and so um yeah just keep that in mind as you're doing this if you want if you want specific things to be forced on you need to make sure that you're supervising the enrollment basically the thing to note as well as soon as this device is in apple business manager it's not tied to the user's account so you no longer have to go to Apple and get your with your proof of purchase to get the device unlocked you can this is how you handle that and that's why we're doing device business manager so we've created our profile it's quite simple ish we're creating this and it's just going to go through that process we're then going to select the default because this is going to be our default iOS profile can we go and create other profiles yes and we then just assign them as needed and would go through from there so you'll see our device still hasn't appeared here so we're just going to do a sync and it should come through pretty quickly so there is our red iPhone XR so I'm just going to quickly give it a power cycle because it's already been on my Wi-Fi because I've been trying to make sure that I can display it in the when connected to the atem because it was being temperamental last week so I'm just going to pop that up and I'm going to put that onto the display now what we should see is that one there and I'm just waiting for that to load up and it should appear on the screen and we should see that out of box experience and it has not suggested with me and what we're going to do is we're going to quickly pause post it was just a timing issue on the iPhone you just have to give it a bit of time and they're all load up on the screen so what you'll see is now we have it going through that out of books experience of going hey hello it's me in all different languages so we're going to swipe up and we're going to select English as our language I'm located in Australia obviously select the country that makes sense for you I'm going to do set up manually and continue and notice has and one thing I really do like about Apple is you'll see that I put in the passcode but you didn't see the keyboard because it doesn't show you the keyboard when you're actually presenting it like this so This hasn't gone through and picked up my device for some reason so what I'm going to quickly do is I'm just going to quickly step through the process and then reset it again all right so what you can do is you can hold the power button on the right hand side and you can just hit start again and it will erase the phone and it will start over uh so this might take a little bit so we may cut it if it takes too long but this is basically wiping the phone and starting it over again and we'll then go through that out of box experience again and we'll be successful because for whatever reason it just has not picked up uh the profile that was assigned to it so I'm just going to go back over here to my VM and what you'll see here is we can see that it hasn't picked up that profile and that's why we're having this issue so when you're doing your testing make sure it's picked up the profile so I'm just going to force the issue and go here and select my iOS and I'm going to assign that I'm going to hit refresh app still waiting because there we go profile assigned now so once the device comes up we should be able to see uh the profile request so while that phone's just booting up let's go over here and we'll have a quick look at what we can do in the deployment of applications so we're going to go and we've already synced our VPP from last week we went through that process we connected it in the Apple in the Mac OS video and what you'll see in here is we're going to have all of our applications so right now there's a large amount of applications in here for Android Mac OS iOS and Associated what you'll also note is there are store apps iOS store apps as well as VPP applications so the difference ask me the difference between them Steve okay Adam what's the difference between them uh so if you push down uh the regular iOS Store app it will attempt to install the app but it will prompt the user for to put in their Apple Store credentials in order to you know install it from the store so it will basically ask the user for permission for each of the apps that you try to force down which creates a really bad experience if you've got a handful of apps that you're trying to deploy down to onto user and then it also allows the user to potentially block the installation of that app until they've approved it but if you take those same apps and you push them down through the volume purchase program flavor it forces them all down automatically seamlessly to the user and doesn't ask them any questions correct and the other thing is um if you deploy more than six of the store apps it's going to sit there and basically um queue them up after the sixth one and it can cause their issues and notifications so where possible and this is where this is why you want to have registered devices where possible you want to do the VPP because your life's going to be a whole heap easier yeah and also like I think you know the the other piece of this is even if you're not doing the VPP ones for whatever reason um making these apps uh available through the company portal instead of through the App Store on the device is also I think a really good a good step because it helps give you that seamless experience across the you know any of your devices that are going to be managed by InTune company portal is going to play a big part in that and so if your user users are used to going to company portal on their Windows device they're going to be used to it hopefully going to it on their iOS device for support and uh to sync the device and all those sorts of things so it just kind of helps Drive exactly Drive the behavior there um but then you know you don't have to like put all of the apps that they potentially would ever want there but if you put everything that your users would be interested in it keeps the users from potentially having to even connect an Apple ID to the App Store all together on these types of devices and so if your users aren't comfortable with doing that or there's you know they say oh I don't want to I don't want to do it because I have to put in personal info or I have to put purchasing info or you know those sorts of things all of this allows you to kind of um circumvent that by fully servicing the device from the company portal yeah and also if there's a price associated with the app the organization can pay it and then rip it off for device uh when the when the staff member leaves and things like that yes oh and what's really actually that's a good point too as you go through this so yeah carry on here because I like that that ties directly and to the next bit so one thing to note here is we're just going to use the license Group which you can Target to the user because for our model that works one thing though stress is for all other all applications can be made available on your iOS device with the exception of company portal because company portal is the app that presents the available applications uh fun fact um as far as I could tell um you don't actually have to deploy company portal to your supervised devices correct um so if you have a supervised managed enrolled device company portal is going to come down if you don't go do this it's coming down anyway so the question is why then are we doing this because we're doing the right thing um but why is it the right thing Steve shouldn't it just automatically come back down Steve I would hope so but we've never tested it no we've never tested so this is where we going to make sure we're going to use the workflows that we know um so I'm just going to quickly step through a couple of the ux to see if it will pop up on the display again because it's been temperamental if only if only it was USBC exactly um so just bear with me viewers because it does work it just can be temperamental unfortunately I think it also comes to the age of the phone or the age of the user you know since you did this last time so um it's the same phone I'd probably say three years okay yeah it did take us a while to get here for a minute the yeah right how you do it all right we got it we got it it only took a couple of minutes the device just had to sing and do some stuff in the background for whatever reason but hey Wally Wiley was doing that I did double check my the math here on the company portal installation so there was a note if you scroll back in the video you'll even see it um under the user Affinity methods there you go um it says company portal will be deployed as a required app to allow for device registration with Azure 80. so there you go I knew I had read it somewhere and I just wanted to prove it uh that it did say that so so we didn't need to deploy it but we have we have because we have good citizens and we want to control everything that we're doing so as you can see we now have our iPhone up we're going to open it up and we're going to select English we're going to select Australia where I am I've already connected this to the Wi-Fi because we're just trying to get it synchronized but it's just the standard out of box experience and process at that point from here we're going to select we can see our Remote Management right so it's going to be managed by InTune training as you can see here and we have Remote Management capabilities installed apps backup data and Monash traffic and other settings that's only if you enable it so if you don't enable those features they don't apply just understand that and set that expectation with your staff members so I'm going to quickly sign in with my social training account this screen right here though is a product of the setup assistant with modern auth right correct so if we didn't have that enabled would we still get this prompt here yes to a point okay uh it all comes down to what your identity provider is at that point I do love the fact that I can see the password appear on the screen here but you can't see what I'm typing in it's like they've thought of the little things yeah Andrew's not like that just so you understand and we will be I mean the fact that the phone knows that you are remotely sharing the screen and is doing something different on the remote screen it's not truly mirroring it it's phenomenal yep that's really well thought through for demos and things just just think of the number of edits we wouldn't have had to do on our demos if that's the way Windows worked yes so as you can see we're now just going through that final configuration from InTune training so this will go through the process we really should have put a capital T there I don't know where that's coming that's that's in apple business manager and we can't change it ah okay you've looked into this before I'm I'm guessing most definitely um but I'm guessing this is where we are don't say we this is a Steve this is where Steve did it but yes yeah it's in um a place we can't change yes I'm sure if we put in a support ticket they would fix it for us but do we care that far no no we do not all right so now you can see here we have the ability to do our face recognition I'm going to use to get started and you can see my glorious face and we're going to do our little wave around the camera and we've registering the device and we're going to hit continue and again you guys can't see my pin which is fantastic so I can put in something that I'm going to remember good call so you'll see here we're now prompted for our Apple ID I'm going to use my InTune training account so if I can spell all right you'll remember if you followed through the last series we actually had this setup with connected into um federator identities we've removed all of that so this is not going to be my aad password anymore and so this is just a okay so at this point if you had a brand new user in your company coming in to do this phone you uh they would need to go create an Apple ID because we don't have Federated credentials enabled um and for various reasons and and uh they're they're I I think there's definitely some hurdles involved in if you didn't Federate the moment you created your your tenant you probably aren't going to be able to because it's impossible well you can it just takes time and it's complicated um but what you can see here is I can't just sign it because I don't have an Apple ID so I'm just going to go forgot password and I'm going to uh set up later oh I'm not going to say don't use because I'm not going to go through the process of setting that up because we'll set up Federation afterwards and we'll use it all and Happy Days um so this is an awesome feature obviously you as an admin you can go and deploy a policy to control this that me as a consumer I can go in here and go yep automatically keep it up to date I really want to keep my phone up to date it's fantastic uh we can set up Siri choose for me I don't care set up hey Siri later continue and you've probably just heard my iPad tell me something about Siri I'm going to hit not now uh I'm definitely going to set up screen time this is really cool if you've got visualization issues you can set it zoomed in or not me personally I at least use the standard but some people may want to zoomed in as you can see there's no sim attached to this but through that whole process it's gone and set it all up not a major concern for the end user and you can see that the company portals there I need to sign in because I've not signed in previously you can make this a little bit less um impactful for the user but in this in our scenario we haven't set that up so we're just needing to sign in uh and by that you mean there's a way to get company portal to Auto sign in yeah I believe so actually what we're going to do before we do that is we're going to find settings and we're going to go to General and we're going to go down here what you'll see is the VPN and device management and we can select that and you'll see that we have a management profile because I haven't set up much on here and then this tenant I don't have many policies in there but you can see that it's come through so it's pretty cool uh now we're just going to go back over to our company portal and I'm sure Adam's frantically trying to prove me wrong no it can stop what I sign in no I'm trying to No I'm trying to get into my okay Apple business manager account because I'm only okay so I can't yeah so yep we're going to get notifications I want the notifications this is already managed so this is more just sitting there and going through the process because it thinks it's not managed but it is managed we saw that in the um settings blade or settings page and you can see device registration and it's just going through their final processes can we streamline this yes but we just haven't and we don't and you'll see that we have one device enrolled which is this device and we're going to okay there's an update available for the in tune uh for the company portal and notice the name of the device now Adam look at that how cool is that so now when we go back over to InTune what if you hit rename hang on if I go to devices and I go to my iOS and iPhone Os or iPad OS this is still synchronizing so obviously it's synced with the old name and there you go there's the Nino so in in tune now what I should see eventually is that name will change to the iPhone Dash serial number um as the end user so let's go back over here if we go rename uh yeah demo demo yes I can rename it now I think so get hit check status because that should sync it again um the I believe that that the rename setting is only to allow you to manage your personal device list in a meaningful way where you can name it for something that makes sense to you but it shouldn't I believe this this is the way it works on the Windows devices um it shouldn't push the change into InTune so um so from the admin side your device should still maintain the name that you provided it on the admin side but if you were to go into your like my accounts portal um and see all the devices register to you it would show The Friendly name to you or even in the list here in company portal it would show you your friendly name for you instead of the corporate name so for your AWS oh you can even see there when you scroll down the original name originally yeah so then if we go back over here sorry let's flip it over I'm just going to hit sync on that device we're going to refresh and you can see it's still retaining that iPhone Dash G zero nxm tuner sweet yeah and if we go to managed apps what we should see in here is we should see company portal and it's actually saying waiting for install because it hasn't picked up that it's installed all right um okay so I think I forgot on um on the apps so when we were deploying company portal there was a setting there that I wanted to talk about if you would all right get whatever uh we're in here [Music] Windows iOS apps and we go to company portal big people yeah yeah it's fine so go to the properties of your assignment and we're going to hit edit and any uh yeah so um the thing I wanted to point out here is that the uh number one and we'll probably go through this in a later video but the VPN um you can set up a per app VPN tunnel and it supports numerous VPN providers like my company uses globalprotect it works try to seamless it works you've also got the built-in Microsoft tunnel uh many other providers out there I haven't tried any of the other ones but we'll probably cover that at a later video but if you needed an app uh like especially if you had a custom VPP app where you you somebody wrote a custom app but it needed access to company resource or something needed a VPN connection you this is where that would come into play so um very seamless Works nicely highly recommend um but then the if you needed to lock an app in to a specific version where you like especially we've got like we've got devices out in the field where um various we're very specific about like hey we can't just automatically update because we need to vet and test and things so this is where that would come into play where you need to to hold an app prevent a specific update from applying to it but then the others here the the install as removable and then also be able to remove or uninstall on device removal I think those are great settings where you can say if like especially if it's a purchased app if you remove your device I want the you know I'm going to free up the license I'm going to take my app back you're not going to get a free app out of the deal um and so that's great the install is removable that one's great if you feel like this is an app that maybe occasionally we need to uninstall and reinstall for whatever purposes or um explicitly do not want it removed because it removes all of the configuration that goes with the app yeah and so that's more specifically kind of the other the other way right and then preventing the iCloud backup I mean I think it's pretty self-explanatory one of the you know one of the things that we've looked at there is um uh authenticator for example if you push authenticator out and you force Authenticator um authenticator hasn't has a backup option well one of the things about it is if I'm trying to promote the use of authenticator for all of your multi-factor auth so you kind of got a centralized home uh for all of that stuff but I block the ability to back it up you can't back up your keys and so if I give you a new corporate phone or if I have to wipe and load you I've completely blow away your authenticator Keys uh if you haven't backed them up some other way so you have to be very specific on the apps that you do and don't Target that stuff with um so just you know some some lessons from the field uh on on some of those things so think think carefully on how you would like those things to be used I think it's really easy to say oh yeah we want to block iCloud backup for everything that's you know that we're pushing down these devices like well maybe maybe maybe not um you know think through what the implications are of those kind of deals so yep perfect I would also say that um one of the other I mean I think out of the box if we were to say here's the core apps that you should be pushing down to your devices um I definitely would say that I would in most cases you would say for at least personal use devices I would push down authenticator um uh though you could also put that if you were going to do mail you could push down Outlook Outlook comes with authenticator light now so if you didn't want to push down the full authenticator you could push down the Outlook app and use authenticator light and still get that MFA experience just bake in the the office or the Outlook app I've not personally used it I just I've heard about it um so those are things yep yeah we should get so what we're doing here is we're just going to grab the micro Microsoft authenticator you feel free to use Battlenet but that's on your personal phone yeah well you could technically use Battlenet with other platforms true oh shame so we've gone and purchased 10 000 licenses because we're a large organization because they're free um when you go now go back over here uh and to sync that we're going to go to tenant admin we're going to go connectors and tokens and VPP here and scroll all the way to the end and we're going to hit Three Dots and we're going to hit sync because that was very logical for everybody to remember that right isn't it amazing that sometimes the buttons are at the top but then sometimes the buttons are in the Little Dot at the end I don't understand I'm not going to comment um so then what we have here is now we have that Microsoft authenticator application we're going to go here we're going to go to properties we're going to actually think it's because there's a real click thing there if you clicked on it it would click the row if you there's not a select row option so you have to put the buttons at the other spot yep right so you just accept that and move on that was really fast though it came down super fast it did um so I've just gone and approved that I've deployed that out and now if we go over to the iPhone itself we unlock it what we'll see is uh close that down we're going to just quickly force it but this happens pretty quickly either way what should happen is yeah I think we we did a quirky thing with the pushing company portal down yeah that's exactly the behavior I it took a while and I finally that's exactly sorry I forgot that that was the reason why you don't do it don't push company portal anymore uh it if you're going to do then the MDM enrollment it's going to take care of it for you if you're using this those settings that we walk through uh with the modern auth um so don't push it yourself because then you just get this repeated never ending thing yep oh sorry I that's how I got there Steve because I was like why is company portal constantly saying it needs an update and that was the deal so as you can see it's now popping up and saying hey you can edit but also behind the scenes you can see the Apple uh the Microsoft authenticator app installing just like that man all dumb simple easy peasy so that's it man like we've enrolled in iOS device um and now we have we stay tuned because we're going to tell you how to configure it and do all the other bits and pieces um but ultimately you've got a managed device now um it's wide open with no other policies and things but it's it's fully managed you can remotely wipe it you can locate it all that good stuff yep um if you ever see this message just because you actually haven't set up MFA on the phone yet on the account yet so that's why I had that message I set you up Steve sorry and it was coming yeah um just to note if you try to set up MFA on this account it's going to be set up before you can get access to so what don't try and hack this account okay oh viewers yes please please viewers don't Steve Steve's gonna prevent you from setting up MFA on his behalf yeah it will be set up soon awesome so I think that covers off everything there I'm just going to cancel that did you see the Rebrand the what the regret oh how about that it's you know there was something I was on the other day where it literally from like I saw it said Azure ID still and then literally I refreshed and it said Azure ID or intra ID yeah within the next day or something it was it was I was like okay they're catching up it's still all over the place in the docks it's going to take forever to go away correct uh I'm just waiting for it to show up in the graph beta endpoint without them telling anybody yes because you know it's kind of that's why it's beta you shouldn't be using this for production it's not our fault I'm not going to go down that route home Let's uh let's wrap the video up there oh come on Steve live a little it's what happens when you move to the dark side all right folks well that's it for uh how to enroll iOS devices stick around for the next videos we're going to be covering Android um coming up actually we're going to record that one right after this one so stay tuned

Info

Channel: Intune Training

Views: 12,523

Rating: undefined out of 5

Keywords: Microsoft, Intune, Training, Azure, AAD, MEM, MSIntune, Microsoft Endpoint Management, MEMIntune

Id: zyUuJzgz-Ig

Channel Id: undefined

Length: 53min 28sec (3208 seconds)

Published: Tue Oct 03 2023