Export (0) Print
Expand All

What to know before setting up Microsoft Intune

Updated: April 28, 2015

Applies To: Microsoft Intune

Before you set up Microsoft Intune, you might want to review Microsoft Intune Evaluation Guide. After you are familiar with the capabilities of Intune, you should be ready to set up your subscription. If you start with a trial subscription, at a later time you can convert it to a full subscription. To convert a trial subscription, see How to buy Intune.

This topic includes information about:

You use two types of administrator accounts, user accounts with additional permissions, and two separate administration consoles to grant your admins access to the things they should manage. The following sections explain these accounts and portals.

 

Account type Permission levels More information

Tenant administrator

Tenant administrators are assigned one administrator role, which defines the administrative scope for that user and the tasks they can manage.

Administrator roles are common between the different Microsoft cloud services although some services might not support some roles. Intune uses the following roles:

  • Global administrator

  • Billing administrator

  • Password administrator

  • Service support administrator

  • User management administrator

Learn more about administrator roles: Reference for Tenant Administrator accounts for Microsoft Intune.

Assign administrative users.

By default, the account you use to create your Intune subscription is a tenant administrator with the global administrator role.

  • As a tenant administrator, you use the Microsoft Intune account portal to manage your subscription for Intune.

  • You assign tenant administrators from within the account portal.

  • Use a tenant administrator with the global administration role to access the Microsoft Intune administrator console to assign your first service administrator.

  • As a best practice, do not use a tenant administrator for day-to-day management tasks.

  • A tenant administrator does not require a license to Intune to access the account portal.

The tenant administrator is a common concept between Microsoft cloud services. When you subscribe to Intune, your service is a tenant of Microsoft Azure AD.

Service administrator

Service administrators are assigned one of the following permissions:

  • Full access: Grants access to all areas of the Microsoft Intune administrator console, with no restrictions. Can also add and manage other service administrators.

  • Read-only access: Grants read permission to all areas of the Microsoft Intune administrator console. A read-only service admin cannot modify data, but can run reports.

Assign administrative users

By default, Intune does not assign a service administrator. Instead, you must use a tenant administrator with the global administrator role to assign the first service administrator for your subscription.

  • As a service administrator, you use the Microsoft Intune administrator console to manage day-to-day tasks for Intune.

  • You assign service administrators from within the administrator console.

  • A service administrator requires a license to Intune before the account can access the administration console.

Device enrollment manager

Device enrollment managers are standard user accounts that have additional permission to enroll more than five devices.

Learn about device enrollment managers.

By default, each Microsoft Intune user can enroll up to five devices.

However, you can give a user account the device enrollment manager permission and then use that account to enroll large groups of corporate-owned devices. This is useful when the devices might be assigned to users on a temporary basis, or serve in a kiosk mode where a user to device association is not required.

Different administrative tasks require you to use one of two administrative websites. Because the configurations you make and data from devices that you manage are stored in the cloud, you can manage your subscription from any computer with a supported web browser.

 

Administrative website More information

Microsoft Intune account portal

As a tenant administrator, use this portal to manage your subscription, including the following tasks when permitted by your administrator role:

  • Manage user accounts for the subscription and configure directory synchronization from your on-premises Active Directory.

  • Manage groups of users, called security groups.

  • Assign licenses to use Intune to users.

  • Configure the domain name that you use with your subscription. The domain name defines the account that users sign in with.

  • Manage billing and purchase details for your subscription, including the number of licenses you have, or the amount of cloud storage space you can use.

  • Find links to view the health of the Intune service.

As a tenant administrator, you can sign in to the account portal to manage the subscription even when your account is not assigned a license to use Intune.

Any user who has a license to Intune but is not an administrator can use this portal to reset their account password and edit their profile.

To access the account portal, your account must have a sign-in status of Allowed. This status is distinct from being granted a license to the subscription. By default, all user accounts are Allowed.

Learn more about adding users and assigning licenses for your subscription.

Microsoft Intune administrator console

As a service administrator, use this portal to manage day-to-day operations including:

  • Set policies for computers and mobile devices.

  • Upload and deploy software like software updates and apps.

  • Manage Intune Endpoint Protection on computers.

  • View device status and run reports.

A user who does not have service administrator permissions cannot sign in to this portal. An exception to this restriction is a user who is a tenant administrator with the global administrator role.

To access the administration console, your account must have a license to use Intune and a sign-in status of Allowed. By default, all user accounts are set to Allowed.

Learn more about adding users and assigning licenses for your subscription.

The Microsoft Intune company portal provides users access to company data and apps. Users can access the company portal by using:

  • The company portal app: An application that is available on devices you manage with Intune. This company portal is also called a self-service portal (SSP).

  • The company portal website: A website that provides access from a supported web browser.

Users can use the company portal to:

  • Enroll devices

  • View the status of their devices

  • Download software that is deployed by your organization

  • Contact your IT department for support

Before a user can access the company portal, the user’s account must be granted a license to use Intune and have a sign-in status of Allowed. Learn more about adding users and assigning licenses for your subscription.

Following is the ULR for the company portal website. When users sign in, they gain access to your company portal website.

Learn more about customizing the company portal.

Intune provides a common service infrastructure that supports multiple configurations. The mobile device management authority specifies the configuration that you use to manage mobile devices.

After the configuration is set, the mobile device management authority cannot be changed.

 

Configuration Where to set the authority More information

Intune stand-alone

Microsoft Intune administrator console

Prepare for mobile device management

System Center 2012 Configuration Manager

Configuration Manager console

How to Manage Mobile Devices by Using Configuration Manager and Microsoft Intune

Intune shares a common foundation with other Microsoft cloud services. When you use the same account to subscribe to multiple cloud services, those services use the same Microsoft Azure AD infrastructure, and they are tenants of Azure AD. Azure AD provides the core directory and identity management capabilities for Microsoft cloud services.

Learn more about administering Azure AD in the TechNet Library.

You can use Microsoft Intune as a stand-alone cloud service or as a cloud service that is integrated with other products. Presently, only Configuration Manager can be integrated directly with Intune.

The decision to integrate Intune with Configuration Manager is a permanent choice that requires you to set the mobile device management authority from the Configuration Manager console and not from within the Microsoft Intune account portal. After the mobile device management authority is set, you cannot change or reverse this configuration.

When you use Intune with Configuration Manager, you do not use the Microsoft Intune administrator console to manage Intune and instead use the Configuration Manager console. Intune still uses its cloud storage in Azure to host software that you deploy to devices that you manage with Intune.

For more information, see How to Manage Mobile Devices by Using Configuration Manager and Microsoft Intune in the System Center 2012 Configuration Manager SP1 documentation.

Use the information in the following sections to plan for network traffic for Microsoft Intune clients.

The following table lists the approximate size and frequency of common content that travels across the network for each client.

noteNote
To ensure that computers and mobile devices receive the necessary updates and content from the Intune service, they must be periodically connected to the Internet. The time taken to receive updates or content will vary, but as a guideline, they should remain continuously connected to the Internet for at least 1 hour each day.

 

Content type Approximate size Frequency and details

Intune client installation

125 MB

One time

The size of the client download varies depending on the operating system of the client computer.

The following requirements are in addition to the Intune client installation

Client enrollment package

15 MB

One time

Additional downloads are possible when there are updates for this content type.

Endpoint Protection agent

65 MB

One time

Additional downloads are possible when there are updates for this content type.

Operations Manager agent

11 MB

One time

Additional downloads are possible when there are updates for this content type.

Policy agent

3 MB

One time

Additional downloads are possible when there are updates for this content type.

Remote Assistance via Microsoft Easy Assist agent

6 MB

One time

Additional downloads are possible when there are updates for this content type.

Daily client operations

6 MB

Daily

The Intune client regularly communicates with the Intune service to check for updates and policies, and to report the client’s status to the service.

Endpoint Protection malware definition updates

Varies

Typically 40 KB to 2 MB

Daily

Up to three times a day.

Endpoint Protection engine update

5 MB

Monthly

Software updates

Varies

The size depends on the updates you deploy.

Monthly

Typically, software updates release on the second Tuesday of each month.

A newly enrolled or deployed computer can use more network bandwidth while downloading the full set of previously released updates.

Service packs

Varies

The size varies for each service pack you deploy.

Varies

Depends on when you deploy service packs.

Software distribution

Varies

The size depends on the software you deploy.

Varies

Depends on when you deploy software.

You can use one or more of the following methods to reduce network bandwidth use for Intune clients.

You can use a proxy server that can cache content to reduce duplicate downloads and reduce the use of network bandwidth by clients that request content from the Internet.

A caching proxy server receives requests for content from client computers on your network, retrieves that content from the Internet, and can then cache both HTTP responses and binary downloads. The server uses the cached information to answer subsequent requests from Intune client computers.

The following are typical settings to use for a proxy server that caches content for Intune clients.

 

Setting Recommended value Details

Cache size

5 GB to 30 GB

The value varies based on the number of client computers in your network and the configurations you use. To prevent files from being deleted too soon, adjust the size of the cache for your environment.

Individual cache file size

950 MB

This setting might not be available in all caching proxy servers.

Object types to cache

HTTP

HTTPS

BITS

Intune packages are CAB files retrieved by Background Intelligent Transfer Service (BITS) download over HTTP.

For information about using a proxy server to cache content, see the documentation for your proxy server solution.

Microsoft Intune supports using Background Intelligent Transfer Service (BITS) on a Windows computer to reduce the network bandwidth that is used during the hours that you configure. You can configure policy for BITS on the Network bandwidth page of the Intune Agent policy.

To learn more about BITS and Windows computers, see Background Intelligent Transfer Service in the TechNet Library.

Intune clients can use BranchCache to reduce wide area network (WAN) traffic. The following operating systems that are supported as clients also support BranchCache:

  • Windows 7

  • Windows 8

  • Windows 8.1

To use BranchCache, the client computer must have BranchCache enabled, and then be configured for distributed cache mode.

By default, BranchCache and distributed cache mode are enabled on a computer when the Intune client is installed. However, if the client already has Group Policy that disables BranchCache, Intune does not override that policy and BranchCache will remains disabled on that computer.

If you use BranchCache, you should communicate with other administrators in your organization who manage Group Policy and Microsoft Intune Firewall policy to ensure they do not deploy policy that disables BranchCache or Firewall exceptions.

Learn more: BranchCache Overview.

When your organization signs up for a cloud-based service from Microsoft like Microsoft Intune, you’re given an initial domain name that looks like the following: contoso.onmicrosoft.com. In this example, contoso is the domain name that you chose when you signed up, and onmicrosoft.com is the suffix assigned to accounts you add to your subscription. After you complete the sign-up process, you cannot change that domain name. However, as a global administrator, you can add your own custom domain names for your organization to use with the service, or you can remove domains that you’ve added previously.

By default, when you use the onmicrosoft domain, each user you import receives the onmicrosoft.com suffix for their user principal name (UPN).

If you want to use a domain name that you own rather than the one that you were given at signup, you can add the domain name to Azure AD. After you add the domain, and it has been verified that you own it, you can create accounts and groups that include the domain name by changing DNS resource records at your DNS hosting provider. To simplify management of user accounts when you plan to use a custom domain, add the custom domain name to your subscription before you begin to synchronize users from your local Active Directory.

Because the information about configuring domain names and DNS resource records for Intune is the same as for other Azure AD tenants, use the information and procedures found under Internet domain management, which include:

After you review the information about domains and DNS resource records, return to this topic to continue learning about Intune.

Intune is a cloud-based service where the infrastructure that hosts your data is managed for you in Azure datacenters. The cloud-based storage of data can raise a number of questions that often include the following:

  • Who has access to the data?

  • Where does Intune store data when using Microsoft Azure?

  • How is data secured, including transfer between clients, web consoles, and the cloud?

  • How is the privacy of data assured?

  • Who owns the data?

  • Is there any third-party verification?

These and additional data security questions are answered in the Microsoft Intune Privacy and Data Protection Overview white paper.

You can manage a variety of device types with Intune. The specific features and capabilities depend on the type and version of the devices that you manage. These capabilities can change when Microsoft updates the Intune cloud-based service.

Because you can use Intune as a stand-alone cloud-based service or use Intune integrated with other products, the full extent of devices and capabilities depends on your configuration of Intune.

Use the following links to learn more about the capabilities of Intune when used in various configurations:


To navigate Intune documentation on TechNet, see the Intune Site Map. Want to try Intune? Sign up for a 30-day trial.
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2015 Microsoft