MDM: Fundamentals, Security, and the Modern Desktop

Using Intune, Autopilot, and Azure to Manage, Deploy, and Secure Windows 10

The first major book on MDM written by Group Policy and Enterprise Mobility MVP and renowned expert, Jeremy Moskowitz!


With Windows 10, organizations can create a consistent set of configurations across the modern enterprise desktop-for PCs, tablets, and phones-through the common Mobile Device Management (MDM) layer. Les mer
Vår pris
641,-

(Paperback) Fri frakt!
Leveringstid: Sendes innen 21 dager
På grunn av Brexit-tilpasninger og tiltak for å begrense covid-19 kan det dessverre oppstå forsinket levering.

Paperback
Legg i
Paperback
Legg i
Vår pris: 641,-

(Paperback) Fri frakt!
Leveringstid: Sendes innen 21 dager
På grunn av Brexit-tilpasninger og tiltak for å begrense covid-19 kan det dessverre oppstå forsinket levering.

Om boka

The first major book on MDM written by Group Policy and Enterprise Mobility MVP and renowned expert, Jeremy Moskowitz!


With Windows 10, organizations can create a consistent set of configurations across the modern enterprise desktop-for PCs, tablets, and phones-through the common Mobile Device Management (MDM) layer. MDM gives organizations a way to configure settings that achieve their administrative intent without exposing every possible setting. One benefit of MDM is that it enables organizations to apply broader privacy, security, and application management settings through lighter and more efficient tools. MDM also allows organizations to target Internet-connected devices to manage policies without using Group Policy (GP) that requires on-premises domain-joined devices. This makes MDM the best choice for devices that are constantly on the go.


With Microsoft making this shift to using Mobile Device Management (MDM), a cloud-based policy-management system, IT professionals need to know how to do similar tasks they do with Group Policy, but now using MDM, with its differences and pitfalls.


* What is MDM (and how is it different than GP)


* Setup Azure AD and MDM Auto-Enrollment


* New PC Rollouts and Remote Refreshes: Autopilot and Configuration Designer


* Enterprise State Roaming and OneDrive Documents Roaming


Renowned expert and Microsoft Group Policy and Enterprise Mobility MVP Jeremy Moskowitz teaches you MDM fundamentals, essential troubleshooting techniques, and how to manage your enterprise desktops.

Fakta

Innholdsfortegnelse

Foreword xix


Introduction xxi


Chapter 1 Enterprise Mobility and MDM Essentials 1


Getting Ready to Use This Book 2


Why the Need for MDM 3


Group Policy and MDM Compared 6


MDM: Guts, Protocols, and Moving Parts 9


OMA-DM: The Protocol 9


CSPs: Configuration Service Providers 9


MDM Service 11


Extending Your MDM Services with Third-Party Tools 12


Final Thoughts 13


Chapter 2 Set Up Azure AD and MDM 15


Comparative Analysis of Different MDM Services 15


Azure AD Premium, Enterprise Mobility + Security, and Microsoft 365 16


Office 365's Built-In MDM Management 18


Microsoft Intune 20


VMware Workspace ONE 24


MobileIron 25


Setting Up Auto-Enrollment and Enrolling Your First Machines 25


Turning On MDM Enrollment 26


Add Your First User to Azure AD 33


Enroll Your First Windows 10 Machine into MDM 34


Optional Steps: Custom Domain Names and AD to AAD Synchronization 50


Custom Domain Names: Goodbye to "onmicrosoft.com" Names 50


Syncing Your On-Prem AD to Azure AD Automatically 58


Final Thoughts 73


Chapter 3 MDM Profiles, Policies, and Groups 75


MDM Policies and the Policy CSP 75


MDM: Getting Started with Policies 76


Profiles and Policies 77


What Makes an MDM Policy? 82


ADMX-Backed Policies 87


Ingesting Third-Party ADMX Files 96


Creating and Using Groups 108


Creating Assigned Groups 109


Creating Dynamic Groups 109


Advanced Dynamic Rules 111


Utilizing Groups in Intune 114


Final Thoughts 114


Chapter 4 Co-Management and Co-Policy Management 117


Co-Management of SCCM and Intune 117


Co-Policy Management: Group Policy and Your MDM Service 122


Auto-Enroll in Your MDM Service Using Group Policy 122


Co-Policy Management...Who Wins: MDM or Group Policy? 127


Final Thoughts 133


Chapter 5 MDM Migration and MDM Troubleshooting 135


MMAT: Microsoft MDM Migration and Analysis Tool 135


Troubleshooting MDM 139


MDM Service Reports, Diagnostic Logs, and Event Logs 139


Delivery Reports from Your MDM Service 140


Advanced Diagnostic Reports and Resolving Conflicts 141


Final Thoughts about the Advanced MDM Settings Report 143


Resolving Conflicts 144


Investigating Event Logs 148


Remotely Collecting Logs from Windows 10 149


Remember MdmWinsOverGP Setting and Gotchas 149


Other Miscellaneous Notes, Traps, and Gotchas 149


Final Thoughts 152


Chapter 6 Deploying Software and Scripts 153


Preparing for the Remainder of the Chapter 155


What to Download to Get Settled in for This Chapter 155


How to (Generally) Deploy Applications with Intune 157


Deploying MSI Applications with MDM 161


Deploying Your First MSI Application 161


Deploying AppX Apps via the Microsoft Store for Business 170


Getting Started with and Activating the Microsoft Store for Business 170


Acquiring AppX Packages to Distribute Using Microsoft Store for Business 172


Deploying MSIX with MDM 178


Repackaging an App with the MSIX Packaging Tool 181


Deploying Office 365 ProPlus with MDM 196


Deploying Win32 Apps with MDM 206


Microsoft Intune Win32 Content Prep Tool 207


Gathering All the Needed Items in One Place 208


Preparing the Win32 Application Contents 210


Add the .intunewin File to Intune 211


Assign the App and See Results 216


Other Win32 Deployment Examples, Troubleshooting, and Final Thoughts 217


Deploying Scripts with Your MDM Service 219


Deploying Scripts (That Deploy Software) with Intune 220


Delivering Other Software and Files with MDM (Using PolicyPak File Delivery Manager) 226


Downloading Unusual File Types 227


Downloading .EXEs, .MSIs, or Unusual Software, Then Running a Script (and Cleaning Up When You're Done) 228


Downloading a ZIP and Automatically Unpacking Its Contents 229


Final Thoughts 231


Chapter 7 Enterprise State Roaming and OneDrive for Business 233


Pregame Setup for This Chapter 235


Get Your Azure Tennant ID 235


Enterprise State Roaming 239


Setting Up Enterprise State Roaming 241


OneDrive for Business 244


Managing the OneDrive Tenant 246


SharePoint and SharePoint Migration Tool 248


OneDrive Sync Client 257


OneDrive's Magic Trick: Known Folder Move 268


Files Restore (from Malware or User Error) 276


Final Thoughts 279


Chapter 8 Rollouts and Refreshes with Configuration Designer and Autopilot 281


Windows Configuration Designer 282


Get WCD from the Windows Store 283


What Can You Do with WCD? (And What Shouldn't You Do with WCD?) 284


WCD Example 284


Implementing the .PPKG File 290


Results from Using a .PPKG File 292


Final Thoughts about WCD 292


Autopilot 293


Getting Devices Registered into Autopilot 296


Creating Groups for Your Autopilot Machines 303


Setting Up Your Autopilot Deployment Profile 306


Automatically Harvesting Hardware IDs into Autopilot 317


Autopilot: Resets, Retire, Wipes, and Fresh Starts 324


Linking a Specific User to a Specific Hardware ID 329


Autopilot Self-Deploying Mode 330


Autopilot Hybrid Azure AD Join 339


Autopilot White Glove 356


Final Autopilot Resources 358


Chapter 9 Windows 10 Health and Happiness: Servicing, Readiness, Analytics, and Compliance 359


Windows, Office, and OneDrive as a Service 359


Servicing Windows 360


Servicing Office 365


Servicing OneDrive (Revisited) 367


Making Your Own Rings for Windows, Office, and OneDrive 367


Office and Application Readiness 375


Office 365 Readiness Toolkit 376


App Health Analyzer 380


Desktop Analytics 381


Introduction to Desktop Analytics 382


Prepare, Pilot, and Deploy Phases 383


Final Thoughts on Desktop Analytics 383


Device Compliance and Health Attestation 384


Getting Started with Compliance Policy 385


Final Thoughts on Windows Health and Happiness 393


Chapter 10 Security with Baselines, BitLocker, AppLocker, and Conditional Access 395


Security Baselines 396


Creating Your Security Baselines in Intune 397


Assigning Your Security Baseline to a Group 399


Syncing Your Client to Get the Baseline 400


Testing Your Baseline 401


Reporting and Monitoring Baselines 402


BitLocker: Full Disk Encryption 404


Enabling BitLocker Using Intune 404


BitLocker Key Recovery and Management 412


BitLocker Final Thoughts and Additional Resources 416


Application Whitelisting with AppLocker or PolicyPak Least Privilege Manager 417


Using AppLocker for Whitelisting 417


Using Your AppLocker Rule with Intune 420


PolicyPak Least Privilege Manager for Whitelisting 423


Conditional Access 426


Setting Up Azure Conditional Access 427


Final Thoughts on Security 434


Chapter 11 MDM Add-On Tools: Free and Pay 439


Company Portal App 439


Setting Up Company Portal Branding 440


Users Interacting with the Company Portal App 441


Microsoft Graph and the Graph Explorer 448


PolicyPak On-Prem & MDM Edition 455


Getting Started with PolicyPak 456


Using PolicyPak to Export Existing Group Policy to MDM 458


Using PolicyPak to Overcome UAC Prompts 461


Using PolicyPak to Block and Allow UWP Applications 463


Using PolicyPak to Manage Application, Browser, and Java Settings 463


Using PolicyPak to Manage Windows Features (and Optional Features) 466


PolicyPak Deployment with Intune (or Any MDM) 466


Interesting Things I Found on the Internet 467


Untested, but Seemingly Useful Scripts 467


Yodamiitti Intune Management GUI 468


Final Thoughts (on This Chapter, and about the Book!) 470


Index 473

Om forfatteren

JEREMY MOSKOWITZ, is a 15-year Microsoft MVP awardee and is founder of MDMandGPanswers.com and CTO of PolicyPak Software. Since becoming one of the world's first MCSEs, he has performed Active Directory, Group Policy and MDM planning and implementations for some of the nation's largest organizations. His best-selling book Group Policy Fundamentals, Security, and Troubleshooting, Third Edition is on desks of administrators everywhere.