Overview
The ISO is currently working to implement Microsoft Intune across the university system. Microsoft Intune is a cloud-based service that focuses on mobile device management (MDM). It helps organizations manage the devices their employees use for work. It ensures that company data on smartphones, tablets, and laptops stays secure and within policy guidelines, no matter where the device is located.
Intune Project Enrollment Phase
Scope – Microsoft Windows devices Only
Existing Device Enrollment
Active Directory Windows Devices
A GPO script will enroll all Active Directory-joined Windows devices into Intune using a device logon script that runs the Bulk Join Package on the device. For all AD-enrolled devices, this should eliminate or at least reduce the need to manually add them to Intune.
In testing, the only user interaction that sometimes occurs is a Windows Notification titled “Work or School account problem,” which may not be unfamiliar.
If you have notifications turned off, you may not see it. There are multiple options to resolve the notification, as it does not affect Intune enrollment. The user can choose to ignore the prompt, follow the prompts, sign in using school account credentials, or reboot the device.
Rollout
It will be a phased rollout linking specific Active Directory Organizational Units (OUs) to the Group Policy Object (GPO) to receive the device logon script. The GPO is titled UTK.DS.Intune Join Computer Config.
The GPO will run a Computer Configuration Startup Script using PowerShell that will launch the Bulk Join Package. If you would like to test you can link the GPO to an OU containing the devices for testing. If you test, please click "Intune Request" and select the option “Request Active Directory OU migration to Intune”. Please list the name of your OU so we know which devices are being tested.
Starting on June 3rd, we will begin linking the GPO to OUs.
If you would like to request a specific rollout date between June 3 and June 13, I will do my best to incorporate your request. Please click "Intune Request" and select the option “Request Active Directory OU migration to Intune”. Complete the appropriate information, including the requested date. The plan is to ramp up slowly but continue at a fast pace. The goal is to complete as much work as possible before June 10. The GPO will be enforced starting on June 17th to enroll devices that have been missed with the staggered rollout.
This will not touch any server operating systems (Intune does not manage servers). MacOS, iPad OS, and Android devices are also out of scope for the current Intune project but will come later.
Standalone Windows Devices
Devices that are UT-owned/funded but not in Active Directory will need to run the join package on the computer. This package will be made available in the OIT download software site next week, May 28. The package will need to be run by a user with administrative privileges. This option is not intended to be used on AD-joined devices. It will join the device into Entra ID and Intune, making it a cloud-only Intune device.
Intune Device Management
Intune will be utilized for pushing out global policies across all Windows devices. These are the same policies that we have already implemented using another AD GPO that pushed Microsoft Defender Polices and onboarded Defender into the Defender Console. The next policy we will be pushing in July will be the BitLocker settings to start local drive encryption. The ISO office will be working to utilize Intune to provide a baseline of device management specific to improving the security posture of endpoint devices. There is no expectation that you manage your devices any differently than you do today.
LANMAN device management for Endpoint devices
Intune is a great tool for management tasks and software installation. We have some departments that are currently using it for additional management tasks. We plan in a later phase to open device management to new LANMAN participants. However, there is no expectation for you to do it any different than you do currently.
Desktop Support Management
If you would like for Desktop Support to manage your devices contact them for additional information.