Getting started with Microsoft Intune: walkthrough guide
Updated: June 26, 2015
Applies To: Microsoft Intune
This walkthrough guide helps you to get started using Microsoft Intune to manage mobile devices and computers in under an hour. If you want to learn more about Intune before using this guide, please see the Microsoft Intune features and the Microsoft Intune Service Description.
Before you start this walkthrough, you will need the following:
Administrator device. A device with a Silverlight-enabled web browser that you can use to access the websites where you, the IT administrator, create user accounts (the Account Portal) and where you manage devices and users (the Admin Console).
A mobile device (or use InPrivate browsing on the administrator device). A second device with a web browser, that you can use to access the Company Portal to see how most Intune users will enroll and manage their devices, find and install software, and request help from administrators.
Instead of using a second device with a web browser, you can use the “privacy mode” setting on the same browser that you use for Intune administration (for example: in Internet Explorer, you can click Settings > Safety > InPrivate Browsing).
Microsoft Online Services work or school account, if you have one. If you have an existing Microsoft Online Services account, you will need the tenant administrator credentials for that account. You don’t need this if you don’t have such an account, or if you want to use this walkthrough for evaluation purposes only.
Certificates and accounts. Depending on which types of devices you will manage in this walkthrough, you might need several certificates (or keys) and accounts to retrieve those certificates:
Windows Phone 8 and Windows Phone 8.1
Follow the installation instructions provided on the support tool download page to upload the signed SSP.xap file in the Intune account portal. This enables Windows Phone trial account enrollment.
Windows RT, Windows RT 8.1, or Windows 8.1 devices.
There are no requirements for enrolling Windows RT and Windows devices.
To learn more, see Set up your computers to be managed by Microsoft Intune.
iOS 6.0 or later
Get an Apple Push Notification service certificate.
Request an Apple Push Notification service certificate from Apple, as described here: Start managing iOS devices with Microsoft Intune.
You can complete this walkthrough in 30 minutes to set up a few users and either a few mobile devices or a few computers. With an hour, you can set up both mobile devices and computers, and also complete the optional portion of the walkthrough in which you configure alerts, notifications and reports.
The time required for each task is as follows:
Step 1: Sign up or sign in: 5 minutes if you are signing up, or if you are signing in with an existing Microsoft Online Services work or school account.
Step 2: Add Intune users: 5 minutes if you are just creating a few user accounts and giving some of those accounts administrator permissions.
Step 3: Create groups to organize users and devices: 5 minutes to create a basic group for non-administrative users.
Step 4: Create policies and prepare to deploy an application: 5 minutes to create a default mobile device security policy and a computer firewall policy, and to prepare to deploy an application to devices using an external link.
Step 5: Install Intune software on computers: 5 minutes.
Step 6: Set up mobile devices management in Intune: 10 minutes per mobile device platform.
Whether you sign up or sign in depends on whether your organization already has a Microsoft Online Services work or school account, whether you have an Enterprise Agreement or equivalent volume licensing agreement with Microsoft, and whether you plan to use the subscription that you set up as part of this walkthrough after you evaluate Intune:
Sign Up for a new account if:
Sign In with your work or school account if:
You don’t have a work or school account, as is provided when you sign a volume licensing agreement with Microsoft or subscribe to Office 365. You should sign up for a new account if your organization does not have a work or school account. If your organization has not signed an Enterprise Agreement or equivalent volume licensing agreement with Microsoft (or has an Office 365 account), then you do not have a Microsoft Online Services account that you can use to sign in to Microsoft Online Services.
You will discard your free trial after completing the walkthrough. You should sign up for a new account if you are using your Intune free trial subscription for evaluation purposes only, and you plan to redo your Intune service setup and device provisioning after using this walkthrough guide. This is the recommended option if you plan to use Intune with System Center 2012 Configuration Manager.
You have a work or school account provided with a volume licensing agreement or Office 365 subscription, and you are using this walkthrough to set up Intune. If you have a Microsoft Online Services work or school account, which is provided when you sign an Enterprise Agreement or equivalent volume licensing agreement with Microsoft (or when you subscribe to Office 365), and you want to use the steps in this walkthrough to set up the Intune service and provision devices for production use, you should sign in with your existing work or school account. This will ensure that your Intune free trial links to your existing Microsoft Online Services.
To sign up or sign in to Intune
On the Sign up page you have two options:
Subscribe using your Microsoft Online Services work or school account: Click Sign in if you already have a work or school account, and you want to use the same account to subscribe to both services. When you use the same account for multiple services, those services use the same Azure AD infrastructure and are tenants of Azure AD. Azure AD provides the core directory and identity management capabilities for Microsoft cloud services.
Subscribe to Intune only: If you do not yet subscribe to a cloud service, complete the form on the sign-up page to subscribe to Intune.
Country or region
Sets the Azure region where the data you use with Intune is located. This also determines billing and applicable taxes for the cloud service.
This selection determines the fields that appear later in this form where you specify your physical address.
Sets the language that you want to use for business communications from Microsoft.
First name and Last name
These are associated with the initial user account that Intune creates to manage your subscription.
This is typically your company name, and is the name that will display to users who interact with your subscription.
The mailing address of your organization.
The email address where you receive service information, billing, and details for password resets. Additionally, promotional information that you choose to receive is sent to this address.
New domain name
Specify a domain name to use with onmicrosoft.com. This domain name is free with your trial or paid subscription.
By default, this domain name is associated with your subscription and user accounts that you add to Intune. After you subscribe, you can add and use a domain name that you already own, or continue to use the free onmicrosoft.com domain.
New User ID and password
Specify an account name and password for the initial tenant administrator account for your subscription. This can be any name you choose and will be associated with the first name and last name you provided in this same form.
After you complete the form and accept the Microsoft Online Subscription Agreement:
You are automatically signed in to the Microsoft Intune account portal with the tenant administrator account.
An email message that contains your account information is sent to the email address that you provided during sign-up. This confirms your subscription is active.
Now that your account has been set up, add user accounts that will be used by other users of Intune.
Use the New users wizard to add individual user accounts. Follow the procedure below to create at least three additional user accounts, with unique names for each user. Each user account that you add counts against the 100 licenses that are available to you as part of your Intune free trial.
To learn more about adding users, see Set up Microsoft Intune.
To add individual users
In the Intune account portal, click Add Users > New> User to start the New users wizard.
On the Details page, complete the required fields.
On the Settings page set the location for the user.
On the Group page, click Next to accept the default and assign a license for Intune to the user’s account. This will count against the set of 100 licenses that you have available as part of your free trial.
On the Email page, specify up to five email addresses that will receive notification of the user name and temporary password for the account. Separate multiple email addresses by semicolons (;). When ready, click Create to add the user to your subscription.
On the Results page you can view the new account name and its temporary password. Intune automatically creates the temporary password.
The new user now appears in the Users node of the account portal.
To verify that the new user was created successfully
In the Intune administration console, click Admin > Company Portal, and then scroll to the bottom of the screen. Copy the URL shown under Intune company portal.
Open a new browser window in “privacy mode” (in Internet Explorer, click Settings > Safety > InPrivate Browsing), or open a new browser window on a different device, and then navigate to the URL that you copied in the previous step. When the user signs in for the first time, they must provide a new password for the account.
Groups in Intune give you great flexibility for managing your devices and users. You can set up groups to suit your organizational needs (for example, by geographic location, department, or hardware characteristics). You can use groups to perform a wide variety of administrative tasks at scale, from setting policies for a set of users to deploying applications to a set of devices.
To learn more about using groups, see Use groups to manage users and devices with Microsoft Intune.
To create a device group
In the Intune administration console, click Groups > Overview > Create Group.
For the Group name, type “My Trial Devices” and from the parent group list, select All Devices, and then click Next.
On the Define Membership Criteria page, select All devices to indicate that the group includes both mobile devices and computers.
On the Define Direct Membership page, click Next. If you had created a group that did not include all devices, and you wanted to add specific devices to your new group, you could do that here.
On the Summary page, review the actions that will be taken, and then click Finish.
You can find the newly created group in the Groups list, in the Groups workspace, under All Devices. From here, you can also edit or delete the group.
To create a user group
In the Intune administration console, click Groups > Overview > Create Group.
For the Group name, type “My Trial Users” and from the parent group list, select All Users, and then click Next.
On the Define Membership Criteria page, set Start group membership with to All users in the Parent group.
Next to Exclude members from these security groups, click Browse and then select Company Administrator. This exclusion will let you manage the My Trial Users group without affecting the Company Administrator account (also known as the tenant administrator).
On the Define Direct Membership page, click Next. You don’t need to do anything here because you want the My Trial Users group to include all users, except for the Company Administrator.
On the Summary page, review the actions that will be taken, and then click Finish.
You can find the newly created group in the Groups list, in the Groups workspace, under All Users. From here, you can also edit or delete the group.
Intune policies provide you with straightforward settings that help control the security settings on mobile devices, maintain Windows Firewall and Endpoint Protection settings for computers, and deploy applications. If you are planning to use the service or devices that you configure in this walkthrough for real production use (instead of just evaluation), it is absolutely essential that you follow the instructions found in Configure security policy for mobile devices in Microsoft Intune and Help secure your computers with Endpoint Protection and Windows Firewall policy for Microsoft Intune. In this walkthrough, you will set up a mobile device security policy and a computer firewall policy, and then prepare to deploy an app to mobile devices after they are enrolled.
To create and deploy a mobile device security policy
Open the Intune administration console.
In the left pane, click the Policy icon.
In the Tasks list on the Policy Overview page, click Add Policy.
Expand Common Mobile Device Settings, select Mobile Device Security Policy, choose Create and Deploy a Policy with the Recommended Settings, and then click Create Policy.
When prompted to Select the groups to which you want to deploy this policy, select My Trial Users from the list, click Add > OK.
Your policy appears in the list of configuration policies, and has been deployed to the My Trial Users group. Double-click the policy to view its settings.
To publish an app installation link for mobile devices
In the Intune administration console, click the Apps icon, then click Apps > Add App. If prompted, enter your Intune credentials.
When you start the Intune Software Publisher for the first time, a short delay occurs while the application is installed.
Review the security warning and click Run.
On the Before you begin page, click Next.
On the Software setup page in Select how this software is made available to devices select External link.
Enter the external link for the software in Specify the URL, and then click Next. Make sure that you preface the URL with http://. This example deploys Skype. Depending on which mobile device platform you are using for this walkthrough, you should use one of the following links:
On the Software description page, provide the information that you want users to see in the company portal for the software, and then click Next. The following settings are available (this example refers to Microsoft Lync):
Enter the name of the publisher: Microsoft.
Enter a description for the software, such as Skype communication app
Select the category that best fits this software: Collaboration
Display this as a featured app and highlight it in the company portal
Select this option to display the app prominently in the company portal on mobile devices.
Choose whether to associate an icon with the software. The maximum size for the icon is 250 x 250 pixels. The recommended size is 32 x 32 pixels. This setting is optional, so skip it for this walkthrough.
On the Summary page, verify the software information, and then click Upload. Click Close to exit the wizard.
In the Intune administration console, click Apps > Apps > Skype > Manage Deployment.
On the Select Groups page, select My Trial Users to deploy the software to that user group, and then click Add > Next.
On the Deployment Action page, select Available Install from the Approval column for your group.
The Skype app is now available to install on mobile devices from the company portal. But first, you need to install Intune software on computers and mobile devices.
There is a wide variety of ways that you can install the Intune client software on computers: end users can use an installer provided by the administrator to manually enroll, or Intune software can be included in an OS image or deployed using Group Policy. End users can also self-enroll their computers. For this walkthrough, you will use the self-enrollment approach.
When users self-enroll their computers through the Microsoft Intune company portal, each enrolled computer is linked to the user account that was used to install the client software.
To learn more about computer management using Intune, see Set up your computers to be managed by Microsoft Intune.
To learn more about software management using Intune, see Manage apps with Microsoft Intune.
To self-enroll a computer
In the Intune administration console, click Administration > Company Portal, and then scroll to the bottom of the screen. Copy the URL shown under Intune company portal.
Use Internet Explorer to browse to the company portal URL that you acquired in the previous step, and log in with your administrator credentials.
Click Add Device.
Click Download Software and then click Run.
Click Next to start the Microsoft Intune Setup wizard.
When the Setup wizard has completed, click Finish.
To set up mobile device management with Intune, you must set the mobile device management authority, enable management for the device platform, and then enroll your devices with the Company Portal app. You can then download the Microsoft Lync application that you published.
To learn more about mobile device management using Intune, see Manage mobile devices with Microsoft Intune.
Enable device management and enroll devices
Make Intune your mobile device management authority
In the Intune administration console, click Admin > Mobile Device Management, and click Set MDM Authority under Tasks. Click Yes in the MDM Authority dialog.
Enable MDM for your device platform
Enable mobile device management for the device platform you want to manage:
Windows Phone: Download and install Support Tool for Intune Trial Management of Windows Phone
Android: No requirements
Android - Install the Company Portal app from Microsoft Corporation available on Google Play and sign in with Intune user credentials added above.
iOS - Install the Company Portal app from Microsoft Corporation available in the App Store and sign in with Intune user credentials added above. View Enrolled devices to add your device.
Windows Phone 8.1- Users install the Company Portal app from Microsoft Corporation available in the Windows Phone store and sign in with Intune user credentials added above.. View Enrolled devices to add your device.
Windows Phone 8.0 - Users click system settings > company apps, and sign in with Intune user credentials added above. The Company Portal app is deployed to your phone.
If prompted for a Server address, type “manage.microsoft.com”.
Open the Company Portal on the device, choose Apps, and then install Microsoft Lync.
In the Intune administration console, alerts are used to quickly assess the overall health of managed devices in your organization. You can configure and customize alerts so that they report and display only the information you need for your organization. You can set whether an alert is enabled or disabled, configure the severity, use the display threshold to determine how frequently an alert event must be triggered before an alert is displayed, and also configure settings that are specific to certain types of alerts.
Notifications are used to inform administrators (and other users) using e-mail when certain types of alerts are triggered.
Reports are used to answer a range of questions, such as how many computers have a particular application or update installed, what malware was blocked, or which users needed Remote Assistance over the last month.
To learn more about alerts, notifications, and reports, see Monitoring and reporting.
To configure an alert
In the Intune administration console, click Alerts > Overview > Configure Alert Type Settings.
Click the search box, type “malware”, and then click the search icon.
Right-click Investigate New Malware > Configure. Note that this alert is part of the Endpoint Protection category.
In the Severity list, change the alert severity to Critical, and then click OK.
Now that you have increased the severity of this alert, let’s set up a notification to ensure that our malware expert is informed whenever this alert is triggered.
To create a notification based on an alert
First we’ll add some email addresses to our list of possible notification recipients. In the Intune administration console, click Alerts > Alerts and notifications > Select Recipients for Email Notifications.
Click Add, and provide and confirm an email address for a notification recipient, then click OK. Repeat as necessary to add recipients.
In the Intune administration console, click Alerts > Overview > and under Tasks, click Configure Notification Rules.
Click Create New Rule.
Complete Step 1 of the Create Notification Rule Wizard as follows:
Name: type “Critical Malware Alerts”.
Select the categories that apply: choose Endpoint Protection.
Select the alert severity: choose Critical.
Complete Step 2 of the wizard by selecting All Devices and then clicking Next.
Complete Step 3 the wizard by choosing e-mail addresses that will be notified.
As a result of creating this notification, all critical endpoint protection alerts (including the one that you configured to be critical in the previous section) will generate an e-mail notification to the list of recipients that you provided.
To create a simple report
In the Intune administration console, click Reports > Mobile Device Inventory Reports.
Under Select device groups, click Edit, and then clear the checkbox for All Devices and select the checkbox for My Trial Devices.
Click Save As, and for the name, type “My Trial Device inventory”. You now have a report that shows you the inventory for all devices in the My Trial Devices group that you created earlier in this walkthrough.
To view the report, click Load at the top right of the console, then View Report at the bottom right of the console.
Intune has a wide variety of capabilities beyond those that are shown in this short walkthrough guide. A few examples of these capabilities include:
Control access to Exchange and Office 365. For details, see Manage access to email and services with conditional access for Microsoft Intune.
Management of corporate-owned iOS devices. For details, see Enroll corporate-owned iOS devices in Microsoft Intune.
Mobile application management. Managed mobile apps work with mobile application management policies to restrict certain app operations such as copy and paste, or screenshot functionality. For details, see Control apps using mobile application management policies with Microsoft Intune and Manage Internet access using managed browser policies with Microsoft Intune.
Control access to company resources. You can deploy certificates, e-mail profiles, VPN profiles and Wi-Fi profiles to mobile devices, making it easier to quickly set up mobile devices. For details, see Enable access to company resources with Microsoft Intune.
To learn about the full capabilities of Intune, see Mobile device management capabilities in Microsoft Intune, Computer management capabilities in Microsoft Intune and the Microsoft Intune Service Description.
To learn more about capabilities that were recently introduced to Intune, including capabilities that are not described in the preceding list or in this walkthrough guide, see What's new in Microsoft Intune.