Export (0) Print
Expand All

What to know before setting up Windows Intune

Updated: June 16, 2014

Applies To: Windows Intune

Before you set up Windows Intune, you might want to review Evaluate Windows Intune. After you are familiar with the capabilities of Windows Intune, you should be ready to set up your subscription.

This topic includes information about:

You use two types of administrator accounts and two separate administration consoles to grant your admins access to the things they should manage. The following sections explain these accounts and portals.

 

Account type Permission levels More information

Tenant administrator

Tenant administrators are assigned one administrator role, which defines the administrative scope for that user and the tasks they can manage.

Administrator roles are common between the different Microsoft cloud services although some services might not support some roles. Windows Intune uses the following roles:

  • Global administrator

  • Billing administrator

  • Password administrator

  • Service administrator

  • User management administrator

For details about administrator roles, see Tenant administrator account reference for Windows Intune.

To configure tenant administrators, see Task 5: Assign Administrative users.

By default, the account you use to create your Windows Intune subscription is a tenant administrator with the global administrator role.

  • As a tenant administrator, you use the Windows Intune account portal to manage your subscription for Windows Intune.

  • You assign tenant administrators from within the Windows Intune account portal.

  • Use a tenant administrator with the global administration role to access the Windows Intune administrator console to assign your first service administrator.

  • As a best practice, do not use a tenant administrator for day-to-day management tasks.

  • A tenant administrator does not require a license to Windows Intune to access the Windows Intune account portal.

The tenant administrator is a common concept between Microsoft cloud services. When you subscribe to Windows Intune, your service is a tenant of Microsoft Azure AD. For more information, see What is a Azure AD tenant?.

Service administrator

Service administrators are assigned one of the following permissions:

  • Full access: This permission grants access to all areas of the Windows Intune administrator console, with no restrictions. An admin with full access can also add and manage other service administrators.

  • Read-only access: This permission grants read permission to all areas of the Windows Intune administrator console. A read-only service admin cannot modify data, but can run reports.

To configure service administrators, see Task 5: Assign Administrative users.

By default, Windows Intune does not assign a service administrator. Instead, you must use a tenant administrator with the global administrator role to assign the first service administrator for your subscription.

  • As a service administrator, you use the Windows Intune administrator console to manage day-to-day tasks for Windows Intune.

  • You assign service administrators from within the Windows Intune administrator console.

  • A service administrator requires a license to Windows Intune before the account can access the administration console.

Different administrative tasks require you to use one of two administrative websites. Because the configurations you make and data from devices that you manage are stored in the cloud, you can manage your subscription from any computer with a supported web browser.

 

Administrative website More information

Windows Intune account portal

As a tenant administrator, use this portal to manage your subscription, including the following tasks when permitted by your administrator role:

  • Manage user accounts for the subscription and configure directory synchronization from your on-premises Active Directory.

  • Manage groups of users, called security groups.

  • Assign licenses to use Windows Intune to users.

  • Configure the domain name that you use with your subscription. The domain name defines the account that users sign in with.

  • Manage billing and purchase details for your subscription, including the number of licenses you have, or the amount of cloud storage space you can use.

  • Find links to view the health of the Windows Intune service.

As a tenant administrator, you can sign in to the account portal to manage the subscription even when your account is not assigned a license to use Windows Intune.

Any user who has a license to Windows Intune but is not an administrator can use this portal to reset their account password and edit their profile.

To access the account portal, your account must have a sign-in status of Allowed. This status is distinct from being granted a license to the subscription. By default, all user accounts are Allowed. For more information, see Task 3: Add users and assign licenses for your subscription.

Windows Intune administrator console

As a service administrator, use this portal to manage day-to-day operations including:

  • Set policies for computers and mobile devices.

  • Upload and deploy software like software updates and apps.

  • Manage Windows Intune Endpoint Protection on computers.

  • View device status and run reports.

A user who does not have service administrator permissions cannot sign in to this portal. An exception to this restriction is a user who is a tenant administrator with the global administrator role.

To access the administration console, your account must have a license to use Windows Intune and a sign-in status of Allowed. By default, all user accounts are set to Allowed. For more information, see Task 3: Add users and assign licenses for your subscription.

The Windows Intune company portal provides users access to company data and apps. Users can access the company portal by using:

  • The company portal app: An application that is available on devices you manage with Windows Intune. This company portal is also called a self-service portal (SSP).

  • The company portal website: A website that provides access from a supported web browser.

Users can use the company portal to:

  • Enroll devices

  • View the status of their devices

  • Download software that is deployed by your organization

  • Contact their your IT department for support

Before a user can access the company portal, the user’s account must be granted a license to use Windows Intune and have a sign-in status of Allowed. For more information, see Task 3: Add users and assign licenses for your subscription.

Following are the ULRs for the company portal website, and mobile company portal website. When users sign in, they gain access to your company portal website.

To customize the company portal, see Task 7: Configure the Company Portal.

Windows Intune provides a common service infrastructure that supports multiple configurations. The mobile device management authority specifies the configuration that you use to manage mobile devices.

After the configuration is set, the mobile device management authority cannot be changed.

 

Configuration Where to set the authority More information

Windows Intune stand-alone

Windows Intune administrator console

Step 3: Set the Mobile Device Management Authority for Windows Intune

System Center 2012 Configuration Manager

Configuration Manager console

How to Manage Mobile Devices by Using Configuration Manager and Windows Intune

Windows Intune shares a common foundation with other Microsoft cloud services. When you use the same account to subscribe to multiple cloud services, those services use the same Microsoft Azure AD infrastructure, and they are tenants of Azure AD. Azure AD provides the core directory and identity management capabilities for Microsoft cloud services.

For more information, see Administering your Azure AD directory in the TechNet Library.

You can use Windows Intune a stand-alone cloud service or as a cloud service that is integrated with other products. Presently, only Configuration Manager can be integrated directly with Windows Intune.

The decision to integrate Windows Intune with Configuration Manager is a permanent choice that requires you to set the mobile device management authority from the Configuration Manager console and not from within the Windows Intune account portal. After the mobile device management authority is set, you cannot change or reverse this configuration.

When you use Windows Intune with Configuration Manager, you do not use the Windows Intune administrator console to manage Windows Intune and instead use the Configuration Manager console. Windows Intune still uses its cloud storage in Azure to host software that you deploy to devices that you manage with Windows Intune.

For more information, see How to Manage Mobile Devices by Using Configuration Manager and Windows Intune in the System Center 2012 Configuration Manager SP1 documentation.

Use the information in the following sections to plan for network traffic for Windows Intune clients.

The following table lists the approximate size and frequency of common content that travels across the network for each client.

 

Content type Approximate size Frequency and details

Windows Intune client installation

125 MB

One time

The size of the client download varies depending on the operating system of the client computer.

The following requirements are in addition to the Windows Intune client installation

Client enrollment package

15 MB

One time

Additional downloads are possible when there are updates for this content type.

Endpoint Protection agent

65 MB

One time

Additional downloads are possible when there are updates for this content type.

Operations Manager agent

11 MB

One time

Additional downloads are possible when there are updates for this content type.

Policy agent

3 MB

One time

Additional downloads are possible when there are updates for this content type.

Remote Assistance via Microsoft Easy Assist agent

6 MB

One time

Additional downloads are possible when there are updates for this content type.

Daily client operations

6 MB

Daily

The Windows Intune client regularly communicates with the Windows Intune service to check for updates and policies, and to report the client’s status to the service.

Endpoint Protection malware definition updates

Varies

Typically 40 KB to 2 MB

Daily

Up to three times a day.

Endpoint Protection engine update

5 MB

Monthly

Software updates

Varies

The size depends on the updates you deploy.

Monthly

Typically, software updates release on the second Tuesday of each month.

A newly enrolled or deployed computer can use more network bandwidth while downloading the full set of previously released updates.

Service packs

Varies

The size varies for each service pack you deploy.

Varies

Depends on when you deploy service packs.

Software distribution

Varies

The size depends on the software you deploy.

Varies

Depends on when you deploy software.

You can use the following methods to reduce network bandwidth use for Windows Intune clients.

You can use a proxy server that can cache content to reduce duplicate downloads and reduce the use of network bandwidth by clients that request content from the Internet.

A caching proxy server receives requests for content from client computers on your network, retrieves that content from the Internet, and can then cache both HTTP responses and binary downloads. The server uses the cached information to answer subsequent requests from Windows Intune client computers.

The following are typical settings to use for a proxy server that caches content for Windows Intune clients.

 

Setting Recommended value Details

Cache size

5 GB to 30 GB

The value varies based on the number of client computers in your network and the configurations you use. To prevent files from being deleted too soon, adjust the size of the cache for your environment.

Individual cache file size

950 MB

This setting might not be available in all caching proxy servers.

Object types to cache

HTTP

HTTPS

BITS

Windows Intune packages are CAB files retrieved by Background Intelligent Transfer Service (BITS) download over HTTP.

For information about using a proxy server to cache content, see the documentation for your proxy server solution.

Windows Intune supports using Background Intelligent Transfer Service (BITS) on a Windows computer to reduce the network bandwidth that is used during the hours that you configure. You can configure policy for BITS on the Network bandwidth page of the Windows Intune Agent policy.

To learn more about BITS and Windows computers, see Background Intelligent Transfer Service in the TechNet Library.

Windows Intune clients can use BranchCache to reduce wide area network (WAN) traffic. The following operating systems that are supported as clients also support BranchCache:

  • Windows 7

  • Windows 8

  • Windows 8.1

To use BranchCache, the client computer must have BranchCache enabled, and then be configured for distributed cache mode.

By default, BranchCache and distributed cache mode are enabled on a computer when the Windows Intune client is installed. However, if the client already has Group Policy that disables BranchCache, Windows Intune does not override that policy and BranchCache will remains disabled on that computer.

If you use BranchCache, you should communicate with other administrators in your organization who manage Group Policy and Windows Intune Firewall policy to ensure they do not deploy policy that disables BranchCache or Firewall exceptions.

For information about BranchCache, see BranchCache Overview.

When your organization signs up for a cloud-based service from Microsoft like Windows Intune, you’re given an initial domain name that looks like the following: contoso.onmicrosoft.com. In this example, contoso is the domain name that you chose when you signed up, and onmicrosoft.com is the suffix assigned to accounts you add to your subscription. After you complete the sign-up process, you cannot change that domain name. However, as a global administrator, you can add your own custom domain names for your organization to use with the service, or you can remove domains that you’ve added previously.

By default, when you use the onmicrosoft domain, each user you import receives the onmicrosoft.com suffix for their user principal name (UPN).

If you want to use a domain name that you own rather than the one that you were given at signup, you can add the domain name to Azure AD. After you add the domain, and it has been verified that you own it, you can create accounts and groups that include the domain name by changing DNS resource records at your DNS hosting provider. To simplify management of user accounts when you plan to use a custom domain, add the custom domain name to your subscription before you begin to synchronize users from your local Active Directory.

Because the information about configuring domain names and DNS resource records for Windows Intune is the same as for other Azure AD tenants, use the information and procedures found under Internet domain management, which include:

After you review the information about domains and DNS resource records, return to this topic to continue learning about Windows Intune.

Windows Intune is a cloud-based service where the infrastructure that hosts your data is managed for you in Azure datacenters. The cloud-based storage of data can raise a number of questions that often include the following:

  • Who has access to the data?

  • Where does Windows Intune when using Microsoft Azure store the data?

  • How is data secured, including transfer between clients, web consoles, and the cloud?

  • How is the privacy of data assured?

  • Who owns the data?

  • Is there any third-party verification?

For answers to these and additional questions related to the security and ownership of data you use with Windows Intune, download and review the Windows Intune Privacy and Data Protection Overview white paper.

You can manage a variety of device types with Windows Intune. The specific features and capabilities depend on the type and version of the devices that you manage. These capabilities can change when Microsoft updates the Windows Intune cloud-based service.

Because you can use Windows Intune as a stand-alone cloud-based service or use Windows Intune integrated with other products, the full extent of devices and capabilities depends on your configuration of Windows Intune.

Use the following links to learn more about the capabilities of Windows Intune when used in various configurations:

 
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft