Planning for MDM

When thinking of your organization's path to MDM, you'll want to consider and assess your company's unique requirements. The exam will likely focus more on the settings and configuration of MDM, so we'll focus primarily on them. When you're ready to begin implementing MDM, you can generally break it down into the following 10 steps:

1. Configure the security groups in Active Directory (AD) or Azure AD that will allow you to easily assign policies or apply restrictions based on membership. Many of the later steps will depend on you thoughtfully creating these groups on which you'll base restrictions and permissions:

1. Assign Intune and Office 365 licenses to users from within the Microsoft 365 admin center (admin.microsoft.com) or Azure Active Directory. Users must be assigned an Intune license to be able to enroll their device.

1. Set your MDM authority to Intune (see the Setting an MDM authority section), and create an MDM push certificate for Apple devices (see the Device types and enrollment section).
2. Create terms and conditions via Intune | Tenant Administration | Terms and Conditions | Create, as seen in the following screenshot:

Deploying terms and conditions is optional, but requires users to accept your company's terms of usage prior to enrolling via the company portal. This can also be configured during setup of conditional access, which we'll discuss more in Chapter 2, Managing Device Compliance:

1. Deploy general/custom configuration policies (restrictions or allowances based on device types and groups). The following example of a configuration profile will block access to Game Center for iOS devices:

1. Deploy resource profiles (Wi-Fi, email, and VPN resources that can be deployed).
2. Deploy store or custom/line-of-business apps.
3. Deploy compliance policies to make sure users are using approved devices (specific OS versions, not jailbroken devices, and so on). The following example policy ensures iOS devices use passwords to unlock the device with at least four characters:

1. Enable conditional access policies that will restrict users from accessing company data if certain criteria aren't met, such as the compliance policies in step 8.
2. Finally, enroll the devices.

Next, we will look at device types.