Add Computers, Users, and Mobile Devices
Updated: December 12, 2012
Your environment should now be ready for you to add users and enroll computers or mobile devices.
In this article:
- Adding Users and Security Groups
- Managing User and Device Groups
- Enrolling Computers
- Enrolling Mobile Devices
- Uploading Applications
Adding Users and Security Groups
Windows Intune uses two types of groups to manage policies, software distribution and updates: User Groups and Device Groups. With User Groups, you can make licensed software available to users and target mobile device security policies to the required user accounts. With device groups, you can deploy software and updates, Windows Intune Agent Settings, and Windows Firewall Settings policies.
You can provide users with access to the Windows Intune company portal. This portal can help users perform common tasks without involving the IT help desk, allows them to add or remove their own devices, and install available licensed software applications.
For users and security groups to appear in the Windows Intune administrator console, you must sign in to the Windows Intune account portal and do one of the following:
- Manually add users or security groups, or both, to the account portal.
- Use Active Directory synchronization to populate the account portal with synchronized users and security groups.
Note For detailed information about the directory synchronization process, see Setup and Manage Active Directory Synchronization in the Windows Intune Account console
To add users manually to the Windows Intune account portal:
- Open the Windows Intune account portal.
- In the header, click Admin.
- In the left pane, under Management, click Users.
- On the Users page, click New, and then click User.
- On the Details page, complete the user information. Click the arrow next to Additional details to add optional user information such as job title or department, and then click Next.
- On the Settings page, if you want the user to have an administrator role, select Yes, and select an administrator role from the list.
- Under Set user location, select the user’s work location, and then click Next.
- On the Group page, under Windows Intune user group, ensure that the name of the user is selected.
- On the Send results in email page, select Send email to send a user name and temporary password (which Windows Intune creates automatically) for the newly created user to yourself and the recipients of your choice by email. Enter email addresses separated by semicolons (;), and then click Create. You can enter a maximum of five email addresses.
- On the Results page, the new user name and a temporary password are displayed. After you review the results, click Finish.
|You can import multiple user accounts into Windows Intune from a single file source. The file must be a comma-separated values (CSV) file and adhere to the required format. For more information, see Add Multiple Users with Bulk Import in Online Help.|
To add security groups manually to the Windows Intune account portal:
- Open the Windows Intune account portal.
- In the header, click Admin.
- In the left pane, under Management, click Security Groups.
- On the Security Groups page, click New.
- On the Details page, type a display name and description for the group, and then click Save.
- On the Select members page, from the List type list, select which type of members you want to add to the new security group: Users or Groups (other security groups).
- The available members for the selected list type are displayed under Available members.
- Select the check box next to each member that you want to add, and then click Add. The added members are displayed in the Selected members list.
- To remove a member from the Selected members list, select the check box next to the member that you want to remove, and then click Remove.
- After the list of members is complete, click Save and Close.
After you have set up and activated the user accounts, switch back to the Windows Intune Administrator Console and plan the organization of your User and Device groups.
Managing User and Device Groups
The following steps take you through the process of configuring groups to help organize the users and devices you have added to the service. After viewing this example, you can customize this procedure to meet your organization’s needs.
- From the Windows Intune Administration Console click the Computers Tab.
- You will see two groups: “All Computers” and “Unassigned Computers.” The All Computers group contains all computers managed by the system, whereas the Unassigned Computers group will contain computers that have not been assigned to a group yet by the systems administrator.
- Click on the Create Computer Group link in the Tasks panel on the right.
- In the Name box type “HQ.”
- In the description type “Our HQ site computers.”
- Under the Parent Group heading, make sure the All Computers group is selected so that this group appears at the top level of the groups.
- Now scroll down the page until you can see the Members section of the page.
- Click the Add… button and select computers to add to the group.
- Click OK to add the computers and click Create Computer Group
- Click on the new group in the list to the left to show the status of computers in that group.
- Next, click on the Computers tab in the main information panel to show the computers you added to the group.
You can now repeat these steps for all groups you wish to create. Figure 7 shows three examples of grouping strategies you can use to organize your computers. Both managed users and devices can be members of multiple respective groups. This arrangement helps provide a great deal of flexibility in how you can use groups.
Figure 7. Grouping Examples
These groups can be based on Active Directory Domain Service (ADDS) groups that you have in your domains, but the groups in Windows Intune do not replicate back to ADDS. As a result, you have the flexibility to make changes that can better meet your organization’s needs.
|The numbers in the group names in the Departmental example in Figure 7 are simply there to organize the listing order of the groups. By default, groups display alphanumerically.|
You can enroll computers in Windows Intune in three ways:
- Administrator Enrollment: The Windows Intune Administrator sets up the computer enrollment on behalf of the computer’s user.
- User Enrollment: The device user self-enrolls a computer through the Windows Intune company portal.
- Embedding in a deployment image: The Windows Intune Administrator embeds the Windows Intune service into the operating system deployment images.
Before you can manage a computer by using Windows Intune, you must download and install the Windows Intune client software package on the computer, which can be a physical computer or a virtual machine.
The Windows Intune package contains unique account identifiers. If unauthorized or malicious users gain access to the software package, they can add computers to the account that the embedded certificate represents. To help prevent unauthorized access, we recommend that you employ the following best practices:
To download the client software installation package:
- Open the Windows Intune administrator console.
- In the workspace shortcuts pane, click the Administration icon.
- In the navigation pane, click Client Software Download.
- Ensure that the targeted computer meets the minimum software and hardware requirements that are described earlier in this guide, in Configure Your Windows Intune Environment.
- Click Download Client Software. The client software is contained in a compressed (zipped) folder that can be opened or saved. When you are prompted to choose what you want to do with the Windows_Intune_Setup.zip compressed folder, click Save, and then save the folder to a secure location.
- After the download is complete, click Open Folder and then follow the steps in the next procedure.
|Do not rename or move the WindowsIntune.accountcert (ACCOUNTCERT) file that is included in the download, as this action will cause the client software installation to fail.|
To install the client software on a computer:
- Open the folder where you saved the installation package.
- Double click the Windows_Intune_Setup.zip compressed folder, and then click Extract all files.
- In the Select a Destination and Extract Files dialog box, browse to a secure location to which the Windows Intune setup files will be extracted, and then click Extract. When the extraction is complete, a new window opens showing the files in the specified destination folder similar to that shown in Figure 8.
Figure 8. Windows Intune Setup FilesYou can copy the files to a network share, a thumb drive, or deploy the files by using an electronic software deployment (ESD) system. However, it is important to keep both files together because the ACCOUNTCERT file is required by the setup application when it runs.
- If you want to use a standard installation process, ensure that you are logged on to the targeted computer with an account that is a member of the local Administrators group, double-click the Windows _Intune_Setup.exe file, and then follow the instructions in the Setup Wizard to complete the installation.
- After the installation is complete, restart the computer. A restart is needed to complete the installation of the protection and update agents, and to download any required endpoint protection definitions or other agent updates.
The managed computer should appear in the Windows Intune administrator console within a few minutes, but it can take up to 30 minutes for the agents to be completely installed and to report inventory and status updates. Repeat the following procedure on every computer that you want to add in the Windows Intune service.
For a user to self-enroll a computer he or she must first access the Windows Intune company portal and log on using their Windows Intune user ID.
Users can access the Windows Intune company portal at the following address:
Embedding in a Deployment Image
The standard installation process requires a live internet connection to create a one-to-one relationship with the managed device and complete successfully. As a result, you cannot install the agent into a deployment image for multiple deployments, because it would create duplicate computer accounts in Windows Intune. In this case, you should use the PrepareEnroll command-line argument to schedule a task that will attempt to add the computer at a later time. For information about how to complete this type of installation, see Installing the Client Software as Part of an Image in Online Help.
Enrolling Mobile Devices
Before you can enroll mobile devices, you need to complete a few steps to prepare the account for the mobile devices you will be managing.
Preparing for Device Enrollment
First, you must prepare the Windows Intune service and enable mobile device management through the Windows Intune cloud service.
|If you intend to manage your mobile devices through System Center 2012 Configuration Manager with SP1, you should stop now and instead complete the MDM preparation from the Configuration Manager management console. For more details on this process see, Getting Started with System Center 2012 Configuration Manager.|
To set up cloud-based MDM in the Windows Intune Administrator console:
- Log on to the Windows Intune Administration Console as a Service Administrator with full access.
- Click the Administration workspace.
- Click the Mobile Device Management menu option and then select Set Mobile Device Management Authority as highlighted in Figure 9.
- At the Set MDM authority window select Yes.
Figure 9. Mobile Device Management Authority
After you have activated mobile device management in the Windows Intune Administrator console, you will need to complete the setup steps for each mobile device platform you are going to support. If you want to manage iOS devices, you will need to obtain an Apple Push Notification service (APNs) certificate and then upload it to Windows Intune. For more information on this process see iOS Mobile Device Management in Online Help.
Setting up your Enrollment Server Address
Mobile devices require access to an enrollment server during the enrollment process. One option is to provide the address to your users so they can enter it manually during device enrollment. Alternatively, you can help automate the process by adding a Domain Name Service (DNS) record to your DNS server. This option requires you to have a verified domain name registered with your Windows Intune account.
For more information on setting up automatic detection of enrollment servers for your users, see Setting up your DNS server for enrollment in Online Help.
If you choose not to add a DNS record to your DNS server, your users will need to know the address for their device so they can enter it during the enrollment process this address is:
Windows Intune is now ready to manage your Windows RT mobile devices. However, if you also plan to support Windows Phone 8 or iOS devices, you will need to complete a few more steps to enable the required management channel for these devices.
Windows Phone 8 Device Setup
To manage Windows Phone 8 devices, you must first prepare the necessary code-signing certificate for your organization’s applications and upload it to the Windows Intune service. It is deployed automatically during the device enrollment process, so that the device can then “sign” the Windows Phone 8 company portal app. The following table describes how to complete this process.
|1||Get a Windows Phone Dev Center account and an Enterprise Mobile Code Signing Certificate.||Go to the Windows Phone Dev Center to get a company Publisher ID. Use your Publisher ID to purchase an Enterprise Mobile Code Signing Certificate.
Typically these steps are only required once for an organization and will be used by your organization’s app developers.
|2||Sign your LOB app.||Download the Signtool from the Windows Phone 8 SDK at https://dev.windowsphone.com/en-us. To be used by end user mobile devices, the app must be signed by a Certificate Authority that is trusted by the target Windows Phone 8 devices. Use the Signtool app to sign your apps with your organization’s Enterprise Mobile Code Signing Certificate.|
|3||Sign the Windows Phone 8 company portal app.||Download the Windows Phone 8 company portal app and using Signtool, sign the company portal app with your Enterprise Mobile Code Signing Certificate.|
|4||Upload and deploy the signed Windows Phone 8 company portal app.||From the Windows Intune administrator console, upload the signed company portal app file and deploy to all users.|
After you have uploaded the signed company portal app, users who enroll their devices will be able have the portal app automatically downloaded onto their device during the enrollment process.
iOS Device Setup
To enable mobile device management for iOS devices, you must obtain an Apple Push Notification service (APNs) certificate and make it available to Windows Intune. The following table shows how to complete this set up process:
|1||Download an APNs certificate request.||From the Windows Intune Administrator console, download the Apple Notification service certificate request and save it to your local computer.|
|2||Get a APNs certificate.||Create a APNs certificate in the Apple Push Certificates portal using the certificate request you created in the first step. Use a company Apple ID associated with an email account that will remain in possession of your company and not an individual. Save the certificate PEM file locally.|
|3||Upload the APNs certificate.||From the Windows Intune Administration console upload the APNs certificate to your Windows Intune account.|
Enrolling a Windows RT Device
To enroll a Windows RT device, users should follow these steps on their device:
- On the Windows RT device, bring up the Search Charm, select Settings, and search for “CompanyApps.”
- Start Company Apps and, when prompted, enter their Windows Intune user ID credentials and password.
- If the Auto-enrollment DNS entry was not specified in the Administration console, enter the enrollment servers address for enrollment to complete.
- After the device has been enrolled, select the link to install the company portal application from the Windows Store.
Figure 10. Completing the Enrollment Process
Windows Intune can now manage the Windows RT device, and the authenticated user should be able to access company apps and manage their devices through the company portal.
Enrolling a Windows Phone 8 Device
To enroll a Windows Phone 8 device, users should follow these steps:
- Initiate enrollment through the Windows Phone 8 device by going to system settings and selecting company apps, as shown in Figure 11.
- The enrollment process prompts users for their company credentials. If the Auto-enrollment DNS entry was not specified in the Administration console, the user must provide the enrollment server’s address for enrollment to complete.
- Successful authentication establishes a relationship between the user, the Windows Phone 8 device, and the Windows Intune service, at which point an authentication certificate will be installed on the device. To enable device management, users should check the box “Install company app or Hub.” If users do not check the box they will not able to download the company portal. Figure 12 shows this setting.
- The company portal then installs on the device, enabling Windows Intune to collect inventory and apply management settings. Users should now have access to LOB apps through the Windows Phone 8 company portal app.
Figure 11. Company Apps Setting
Figure 12. Enabling Installation of the Company Portal
Enrolling a iOS Enrollment Device
To enroll an iOS device, users should follow these steps:
- Browse to the Windows Intune company portal website directly from the web browser on the device. Alternatively, the administrator can send the user an email invitation that includes a link to the company portal and their User ID details.
- Enter Windows Intune user credentials to start the enrollment process.
- Accept the prompt to install the company’s management profile.
- Successful authentication establishes a relationship between the user, the iOS device, and the Windows Intune service.
- Windows Intune collects inventory and applies management settings and users now have access to LOB apps through the web-based Windows Intune Mobile company portal at: https://m.manage.microsoft.com.
As with previous versions of Windows Intune, you can deploy .exe and .msi applications directly to the Windows PCs being managed by Windows Intune by using the Admin console to deploy applications to device groups.
New in this release, however, is the ability to make .appx, .xap, web apps, and public store apps (through deep links) available for users to install for themselves from the Windows Intune company portal. These new applications are published to the company portal application or web site so the users can select the apps they need. The following table shows how each platform can access the company portal.
Mobile Device Line of Business (LOB) Software Publishing
There are two ways to deploy applications to mobile devices with Windows Intune:
- External link: Use the Add Software wizard in the Admin console to set up links to applications in the Windows Store, Windows Phone Store, Apple App store, and Google Play. These can then be published to users through the Company Portal. In addition, you can provide links to web-based applications that will run on the device through the device’s own web browser.
- Software installer: You can provide a signed application package that is then uploaded by the Administrator to the Windows Intune service directly and then “sideloaded” onto the managed devices. Sideloading an app enables you to distribute an app directly to a device without going through a public application store.
The following table shows the mobile device platforms to which Windows Intune can sideload and the software file types required for each platform:
|Windows Phone 8||.xap|
|iOS||.ipa and the .plist manifest file|
To publish applications to these devices requires that you have the necessary certificates and keys in place to enable your signed applications to install. The following section explains the steps required to enable application publishing for each of your supported device platforms.
Windows 8 Application Setup
To enable application publishing for Windows 8, you will first need to obtain your sideloading key. To obtain this key from Microsoft, sign into the Volume Licensing Service Center (VLSC) and complete the steps outlined in the following table.
|1||Obtain and upload a sideloading key.||Before you can install sideloaded line of business (LOB) apps on Windows 8 devices, you must obtain and activate sideloading keys from the VLSC. For more information about sideloading product activation keys, see Microsoft Volume Licensing. You then upload your sideloading key from the Windows Intune Administration console.|
|2||Upload code-signing certificate||If you have a certificate from your company’s Certificate Authority, log in to the Windows Intune Administrator console and use the Modify Code-Signing Certificate option to specify the code-signing certificate you want to use for your LOB Windows 8 apps.
Note that all LOB apps must be code-signed but if you have a public key that is part of a trusted certificate chain you will not need to add an additional code-signing certificate here. You will only need this configuration change if you are signing your applications with a certificate that cannot be verified by the device using one of the public certificate authorities.
Users of managed Windows RT devices will now be able to install your published LOB apps on their devices. To enable these LOB apps to be sideloaded on Windows 8 PCs some additional steps may be required. Take a look at the Windows 8 Sideloading Requirements TechNet page for more details.
Windows Phone 8 Application Setup
Sideloading Windows Phone 8 apps onto a device requires that your developers sign the apps with the Enterprise Mobile Code Signing certificate you obtained during the Windows Phone 8 device set up phase earlier. The following table demonstrates how to complete this process.
|1||Sign your LOB app.||Use the Signtool app from the Windows Phone 8 SDK to sign your apps with your organization’s Enterprise Mobile Code Signing Certificate.|
|2||Upload and publish LOB apps.||You can now upload your signed LOB apps from the Windows Intune administrator console and deploy them to the target users.|
iOS Device Setup
For Windows Intune to manage iOS devices, you will have to obtain an Apple Push Notification service (APNs) certificate and make that certificate available to Windows Intune. Additionally, any LOB applications need to be signed by a valid iOS Developer Enterprise Program certificate so that the iOS device will accept the application. Use the following table to complete this setup process.
|1||Join the iOS Developer Enterprise Program.||If you plan to develop in-house iOS applications that you wish install with Windows Intune, you must purchase membership in the iOS Developer Enterprise Program. Note: A Dun & Bradstreet (D-U-N-S) Number is required for enrollment.
If you are commissioning an external developer to create your line of business iOS applications, you must make sure they are able to sign your application with a valid iOS Developer Enterprise Program certificate.
|2||Sign all apps you plan to deploy to iOS devices.||You, or your iOS developer, must sign all apps you want to deploy to iOS devices with the same certificate.|
|3||Upload and publish LOB apps.||Now the apps can be uploaded using the Windows Intune administrator console. Then by using the Manage Deployment wizard the app can be targeted to the required users.|