Administering Microsoft Endpoint Manager Part 1

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hi there welcome back to my channel uh just a reminder that we love people who subscribe here so go ahead click on that subscribe button down there and don't miss a thing and always we welcome your comments and feedback so we're ready to begin let's go [Music] hi everyone welcome back to my channel i'm andy malone i'm a microsoft mvp and a microsoft certified trainer you know it started out life as microsoft intune and before that of course it was on premises as system center configuration manager well in 2020 it merged it became one single product and i would say what a fantastic tool it is for managing devices users and applications and as part of microsoft 365 but just how do you administer it well i thought this week we would take an in-depth look at that so are you ready let's take a look so today we're beginning in the microsoft 365 admin center now just before we go into endpoint manager i'd like to show you a couple of things i'm going to go into azure active directory and in my azure active directory i'm going to go into here and i'm going to scroll down in azure ad and you can see that we have a number of options here one thing i just wanted to point out was this mobility mdm and mam so mobile device management and mobile application management now by default every customer gets mdm and mam for free of charge and what that means it means that you can manage mobile devices um for mobile phones so if you've got cell phones absolutely no problem now if you want to manage pcs and macs and all the other devices that come with it then you will need an intune license and you can see here that my tenant has been set up i've got intune enrollment and i've also got microsoft intune there now a common question that i get asked is do i have to have in tune do i need to use intune as part of microsoft azure and of course the answer is no so you can see all these other brands these different variations on that are actually here so no the answer is you don't need to go with that it just happens that in my subscription i get intune or endpoint manager free of charge so i'm just going to scroll that down and i'm going to come now into endpoint manager and in terms of managing your users the really nice thing about this portal is that you can see that we've got users and groups here and you've also got tenant administration so the users here are exactly the same users as you've got in azure active directory and also the same as what you've got in microsoft 365. you'll also notice that you've got other features here so the groups so you've got all the different group settings and if you're interested in groups then we'll go ahead and check out one of my other group videos that i've recorded recently so a good place to start of course is up here on the dashboard so here we are on the dashboard now this is just a demo uh tenant that i have but you can see here that this is gives me a dashboard gives me a complete kind of overview of everything that's going on within my organization um so we've got device enrollment you've got a compliance of course and one of the nice things that endpoint manager brought was not only the ability to manage devices and apps but also manage the security features uh on those devices as well so you've got kind of everything in one place so a first place we're going to look at in our administration tour is obviously managing devices and so you can see here one of the first things of course you'll be asked is okay how do we actually get our users devices into endpoint manager okay so the first thing for that then is you can come down well you've got different types of devices here of course this is just a viewing tool so you can view by windows devices ios and ipad os mac os and of course android devices here as well so to enroll our devices we come into the enrollment area here and you can obviously choose which type of device that you want to enroll so for example windows enrollment i'll come back to in a moment but let's say for example you wanted apple enrollment now this is super smart the one thing that you will need to purchase from microsoft sorry from apple or at least get from apple is this this is the mdm mobile device management push certificate essentially what this does is once it's installed you can then create um configurations for all your apple devices and what you then do is you then essentially go off to your apple reseller purchase your 1000 ipads or your 500 max and they will ask you do you have an apple push notification certificate and you'll go yes i do this is my number and they will then associate that number with your order so that means that when the devices get rolled out to your users when the user switches that device on so there's zero touch on your part when the user switches that device on it then picks up ah hang on a minute this is a managed device because it's associated with that certificate it's absolutely brilliant now you also get the same thing with android as well okay so coming uh here you can see for example i don't have a a push certificate at the moment but if i come up to the windows devices you can do something uh here with windows devices as well so you can configure windows devices to kind of detect and and load up automatically and we can also deploy for example windows hello for business so windows hello for business of course is the opportunity to use biometrics rather than simple passwords and you can see um you can choose do you want to set this up for all users if you don't want it for all users oh by the way um that's another really neat feature here so you can see when if you've got like a help link here um you know where it says learn more it takes you through to docs.microsoft.com awesome uh feature so um do you want to configure uh windows hello for business so yes i do um so i'm gonna enable that and i'm gonna say is does your laptop have a trusted platform module that just basically means any recovery keys it's all encrypted on a microchip on the actual device itself um the pin length so a pin number um so if you're using a key of some kind or a pin number rather than a password you can set that the minimum and maximum numbers there as well of course you can also choose whether you're going to include letters of course you're going to complicate things so you can do that you can also of course set an expiry date for that as well and this is the one that you really want to take a look at here so allowing biometric authentication absolutely it will seriously improve your security a thousand percent um if you're using biometrics rather than basic passwords and just to point out i've done a previous video on passwordless authentication so you may want to go off and have a look at that video afterwards um so you've got things like anti-spoofing mechanisms here you've got are you going to allow phone sign-in so if they're coming in a mobile device and you can also use security keys so these are these new uh security keys that you can uh set up there so i'm going to go ahead and save those changes there for my windows device and that looks good and just close that down here so the next thing that you want to think about whether you're either working in apple or android or whatever the next thing is you want to think about profiles so who is the profile set for so looking at deployment profiles then you have the windows autopilot program now autopilot as i mentioned is quite similar to the apple enrollment program so the idea is that it's a fast track to get windows devices enrolled and deployed with microsoft windows the other thing that we have here as well is an intune connector for active directory so if you're using azure ad connect to connect your on-premises active directory domain controller with microsoft azure then there is also a connector if you're managing for example if you've got um sccm on-premises system center configuration manager you can manage both devices so that's a really useful feature by the way okay so um obviously here you can see that we've got deployment profiles and i can come in here and basically this is where we can go ahead and we can create a profile and you can see i've kind of got one here uh just a basic one so um first up then having a look at this looking at the properties of this it just tells me um who this uh autopilot profile is for windows pcs um uh the machines in this case would be the domain joined uh to my company now um azure ad of course is the directory service of microsoft 365 and also microsoft azure and you if you've just got azure ad domain joined machines this means that you've got nothing on premises whatsoever so you don't have active directory on premises and this is a way that you can manage all your pcs macs mobile devices remotely fantastic set of tools so the idea is that i can come in here i can you see you've got these uh basic things that you can edit here and this is essentially what we call the out of the box experience so when the user joins microsoft 365 this deployment gets rolled out to their machine and of course i can now go in to edit this obviously i'm not going to have time to go through all of these but i'm sure you get the idea so for example do you want to show the software license terms or do you want to hide it from the user do you want to show the privacy settings um do you want to have the user signing in as a regular user or as a some kind of administrator never a good idea for an administrator by the way white glove experience means zero touch of course you can also choose your region your language here and this will deploy the appropriate language onto the device as well you can have obviously different multiple profiles here as well so once you've reviewed and you you've saved that and that is then ready for your users so again i'm just going to save that experience here now from that you can then say okay i've now created that out of the box experience who do i want to assign that to so this is where you can say okay do i want to uh in set specific groups of users here or do i want to either include these users or exclude so exclude means i'll bring in everyone except this particular group okay and again i'm just going to go ahead and save that here so just going back to the devices area here so once you've obviously enrolled your devices the next thing is we can then think about okay configuration so under here you've then got these three policies here so you've got compliance policies so are you going to set up rules for the types of devices and compliance means what operating system are you going to support are you going to allow jail broken devices i certainly hope not and so on those types of rules conditional access so as well as a username and password do you require the user to meet any other conditions so for example be in a specific location running a specific version of the device and so on and if you want to know about conditional access again check out my channel i've recorded a couple of previous videos on that um and then of course you've got the actual configuration profiles themselves okay so looking at those configuration profiles again i've got a couple of demo ones here so i'm just going to go into the ios one here and again uh i'll go into properties um you get some basics so what's the name of your uh policy here what's it for what platform is it for and so on and then you can actually set up the actual configuration settings themselves so if you're an i off iphone user and ios user then you'll recognize some of these so for example what kind of cloud storage are you going to allow for your users here so you're going to for example block backup of enterprise books um are you going to block icloud photos on this device um block access to the photos library so again you know these devices for example ipads might be for kids in a school for example so there may be features in here that you may want to switch off you might not want the users to be able to back up to icloud and so on so that's that um do you want to restrict any of the apps that's on the actual device uh so for example do you want to block any of features things like again the camera facetime and so on um again this could be quite useful in a you know fairly secure environment and there's plenty of uh definitely go and take a look at these actually they're really useful um what's the what kind of experience do you want to have for the user's lock screen so do you want to control access to the lock screen so the user can't even get in and customize these settings um is it is the device a shared device for example again kids in a school do you want to have automated device enrollment so again yes you might want to say yes this is a shared ipad and therefore have multiple profiles set up for that just to remind just a quick thing about that actually um i'm often asked okay andy how do i actually you know you set these features up um how do i actually get my users to do this well the the idea is that if the user now goes into microsoft 365 and for example tries to sign up to outlooks or sign in with outlook with their username and password essentially what will happen now it will say you are required to enroll this device in other words this device is going to become a managed device so once the device has been enrolled the user accepts the terms and conditions that you've set up if you've set them up and then once the device is enrolled it's now then managed by yourself um what the user typically does is when they said yes i want to enroll this device it will go to the app store of the device so for example in the case of an apple device it's going to go to the apple app store and it's going to download the intune agent and install it it's completely free very very simple to do but once the user's doing that it's then classed as a managed device and of course you can then manage it now a question i'm often asked is ah but what about security does that mean that the user um you know the administrator can see the user's data what about privacy and so on absolutely nothing to worry about there what we're talking about here is just really deploying applications managing the device on behalf of the user for example um updates and things like that okay so the first thing then that's the first thing so we want to go ahead and as i said you want to create that configuration profile so you know the different types of settings for your users and so on all right so again create the configuration profile so again i'm creating that so i went into the properties here edited those configuration settings and then you would come down into assignment here so in this case you can see that i've deployed this profile to my sales and marketing group okay so the sales and marketing group uh here have have got those device restrictions set up there okay that's again very very easy so key thing um create the create the profile just give it a name then go into the different configuration settings then assign that profile to the actual users there okay once that's enrolled once the user is enrolled you'll then see device status user status and these are like little reports here so if there's any users that are having problems maybe they've not enrolled correctly you'll see details on that here okay so coming that's configuration profiles the other thing is a compliance policy um this can be quite useful so are you gonna have any rules uh regarding uh compliance what kind of devices are you gonna allow old devices for example so again we've got this a demo uh option here i'm just going to go into properties of the device again you can see you get some basic naming information but this is the important ones here so compliance settings and then of course actions for non-compliance which i'll come back to in a second so first of all um email does the user require email or does it need to be configured uh the device health so you definitely want to block jail broken devices require the device to be under the device threat level so you can set different categories of threat levels um but the jailbroken device is very important um the device properties so again this is where you can set up the minimum the maximum operating system version here and the different build versions as well so ios 14.1 and so on because the last thing you want you don't want users having really old iphones or ipads which are really really slow and you've got problems deploying software or updates onto them and if you are using windows defender atp advanced threat protection of course you can deploy that now not just on windows devices you can also deploy that on mobile devices as well i'm going to cover this in a future session by the way then of course you've got all your different system security so for this device remember this is compliance so do we require a password for the device i would hope so are you going to do automated enrollment for the device are you going to block or allow simple passwords minimum maximum password length so again this is whatever your security policy for your company is this is where you can obviously set that up okay also down here at the bottom uh do you want to restrict any apps so again any apps that you want to restrict that you can do that um apps bundle id andy what does that mean well very quickly if i just quickly switch over to azure active directory and go into azure ad you can see that we have enterprise applications here and these are all the applications that you've deployed so for example here is yammer which is part of microsoft 365. and look there's the application id here so basically you would just simply copy that and then obviously that's just an example but you get the idea that would then block that particular application okay so that uh ladies and gentlemen is compliance policy so again a really nice feature now if there are any hits against the compliance policy you can of course set a notification so let me you know you can create that notification that says hey you know john has had a hit against his compliance policy um let me know and you can also choose how you want to it will show you a list of any non-compliant devices and you can then retire those devices as well um again compliance policy settings down here so mark devices with no compliance policy as either compliant or non-compliant so for example this could be um you know let's say um guests or customers that you've got coming into your environment so if they've not you know this is kind of a catch-all type scenario and we also have this really nice feature called enhanced jailbreak so if you've got um additional security features and this can be quite useful as well okay um the other thing that you can also do this is actually part of um conditional access you can create locations so for example trusted locations so if you're doing conditional access policies based on locations so for example if i'm in the london office today i don't need to do multi-factor authentication and users love that so heading back to our devices so we talked about enrolling devices i've talked about compliance policies and configuration policies here um now uh just if you want to use scripts so if you're a scripter you like using powershell and you want to deploy scripts especially to things like windows devices then you can add those scripts in here so kind of automated we also have this is where you can configure things like windows update rings so if you're a large organization um rings means that you know if you've got different branch offices or different regions you can specify here hey you know i want to create a profile for a windows 10 ring and i can say okay for the marketing department i i want their systems to be updated within 30 days and for the finance team i wanted to be updated within 90 days and so on um do you want to set up any enrollment restrictions so for example when we're talking about users signing up for endpoint manager and and going through that enrollment process do you want to set up any uh device restrictions here so this is where you can either create either a device or a device limit subscription now you can see here that we have 15 as the limit and that's important because as part of microsoft 365 every user can install microsoft 365 on either five pcs or macs plus 10 mobile devices okay so for a total of 15. so if you want to limit that even further you can do so so by default it's for all users 15 devices but again you can reconfigure that if you want to okay um this is really nice this is um esim by the way if you're using cellular services um again so if you've got um sell your services you can do that um this is interesting as well this is policy sets so you can see here that we've got all the different policies and you've got to go through and assign users to these different policies this is awesome so we now have what we call policy sets and policy sets of course um i can create and it basically goes through all the different policies so i can call it um i can just call this set one and i'll just go yep okay uh next application management so this is where i could select apps so for this particular profile i'm going to say okay the users can just use these particular apps i can set configuration policies up for those apps and also some application protection policies then i go into next device management i set my device configurations up compliance policies here you get the idea then i go through to you know how do i want my users enrolled and then who am i going to assign this to so the idea here is rather than basically going through all these different profiles and policies the idea is that we just go ahead and create this policy set and it really speeds things up okay that's a really nice feature by the way okay um of course forgive me i'm not going through all of these settings but hopefully it's giving you an opportunity to um to gain some experience with it okay for the second part here what i'm now going to do is also show you the applications as well so applications um again you can see you've got some monitoring features here you can also monitoring them by or monitor them by platform as well and of course this is where you can also create your policies for your applications so we have these protection policies configuration policies provisioning profiles for the apps themselves s mode is a version of windows by the way and also you can create policies for apps as well again as before you also have the policy sets as well if you want to so as an example if i go through let's say to i'll go policies for microsoft office apps here okay so you can see that at the moment we don't have any policies in place so first thing we need to do is go ahead and create a policy so i'll just call this in fact i'll call this sales policy one okay and i'm gonna say uh what's the the type okay we're gonna select this and i'm gonna say this policy configuration does it apply to users or does it apply to users that access anonymously so this could be for example guests so if you're using microsoft teams and you've got guest access enabled you could actually create a policy for them for the purpose of this demo i'm going to say this policy applies to users uh i will then say okay which users so i've got a users here i've called this sales and marketing group so i'm going to do that i'm going to create that so that will just add those in here okay so the policy is now created again what i'm going to do is i'm just going to open up that policy just to have a quick look and you can see i can now go ahead and actually configure this policy so you can see that we have lots of different um settings for different apps um again remember this is for microsoft office these are for office apps um so for example do you want to enable or disable trusted locations for files do you want to control how hyperlinks are work works do you want to allow trusted locations on the network do you want to add those in and you can see that this is actually deployed like a standard uh policy for us so that's a that's a as i said that's a really nice feature okay um okay so up next um you've also got this feature at the bottom here so app selective white um i'm often asked andy i i appreciate that if it's a corporate device i can manage the device i can deploy apps to it what if it's a personal device users might get a little bit upset if it's a personal device so in essence if you're using mobile devices what happens is the enrollment procedure it will actually install a portal on the user's device and within that portal all the corporate apps will sit so the idea is that the this corporate portal or bubble should not interfere with any users apps on the device and in fact you can't cut copy and paste between both so at the end of the day if the user leaves you essentially just remove the corporate apps from the device and the user's copy of angry birds or star wars or whatever they had is uh is in place okay um okay so there we go that's the first part of administering endpoint manager i really hope that you enjoyed that next time i'm gonna come back and part two we're going to look at endpoint security and we're also going to look at the tenant administration and also reports so there you have it endpoint manager administration that was part one in part two like i said we're going to go even further and hopefully improve your training i really hope you found this useful and of course if you did go ahead and click on that subscribe button down there in the meantime join me next time i'm andy malone and you stay safe remember if you like what you've seen go ahead and subscribe and check out these other related videos thanks again [Music]

Info

Channel: Andy Malone

Views: 8,933

Rating: 4.9781423 out of 5

Keywords: Microsoft Endpoint Manager, microsoft endpoint manager, endpoint manager, microsoft 365, Microsoft MVP, MVPBuzz, Andy Malone MVP, Office 365, Mobile Device Management, MDM, MAM

Id: hhkA6uxtlIM

Channel Id: undefined

Length: 34min 1sec (2041 seconds)

Published: Thu Dec 31 2020