Guest Posts: Intune & iOS – Setting Up

The following five guest posts are written by David Colville, with some light editing by me. I first met David online in 2015 when I was exploring Microsoft PowerBI and its suitability for educational analytics at St Andrew’s College. David connected me with Datacom New Zealand and their BI Team and the rest, as they say, is history. Since the initial introduction, our paths have crossed digitally many times, yet only once in person! Recently we chatted online about using Intune to manage iOS devices in educational contexts and from there the idea of a series of blog posts emerged. We have decided to split these reasonably technical and lengthy posts into the following five topics:

1. Intune & iOS – Setting Up
2. Intune & iOS – Adding iOS Devices Using Device Enrollment Program (DEP)
3. Intune & iOS – Assign Applications To Devices
4. Intune & iOS – Setting Up Profiles
5. Intune & iOS – Building A Custom Profile

I am really thrilled to have David share his expertise in these posts and it highlights the value of building a Professional Learning Network (PLN) online, as without our initial virtual engagements, I would not have had access to his knowledge and skills. So I extend a huge thanks to David and strongly encourage you to connect with him on Twitter.

One of the new features of Microsoft Intune in Azure is it can take advantage of iOS Apps being assigned to devices,  not just individal people’s Apple IDs.

The feature of assigning Apps to devices was added to iOS 9, so it’s been around for a little while but it’s a recent addition to Intune making it very useful for school setups. This is  particularly helpful given students under the age of 13 can’t easily get an Apple ID and in an educational context schools typically want to have all their iPads with the same configuration.

To implement this with best practice you’ll need a few things:

• To have signed up to Apple’s Volume Purchase Program and (preferably) the Device Enrolment Program – you can do this at http://deploy.apple.com, (or http://school.apple.com if you’re a school).  If you’ve already setup one of these – try and aim to upgrade to School Manager before you start.  
• To have created an Apple ID that will be used to generate an Apple Push Notification Certificate.  Apple have a guide on how to do this without a credit card here 
• An Azure-based Intune configuration.  At present it appears the assignment of Apps to devices is a feature exclusive to Azure tenants, with on-premise or Hybrid configurations still not supporting the feature.  If you want to try  out Azure in Intune – you can sign up for a trial at https://docs.microsoft.com/en-us/intune/free-trial-sign-up 
  • Note: future developments and feature roll outs will be for the Azure Portal version of Intune only.

It’s important to read the fine print on the free trial above – because I did sign up for the trial, and the first thing it diverted me to was https://portal.office.com .  I should have gone to https://portal.azure.com to start administering the Intune setup.

Once you’re into the Azure portal you may need to search for the Intune configuration as you’ll quickly learn that the Azure Portal has so many services – you will likely need to search into the “More services” section of Azure to find the correct entry:

Search for “Intune” and you’ll find the correct service:

Notice the URL on the bottom left of the above image and the reference to “blades.” The Azure Portal uses a series of “blades” expanding from left to right as new services are opened. Therefore, you may need to scroll to the left to find the previous menu item. Become familiar with closing a “blade” once you’ve made a menu selection.

To set up your system – first you need to configure the Intune environment to work with the Apple School Manager systems by enabling the MDM Push Certificate, as well as ‘Tokens’ that enable communication with Apple’s Device Enrollment Program and Volume Purchase Program (see below).

MDM Push Certificate

In the “blades”, select “Device enrollment” followed by “Apple enrollment” and once in there, you’ll need to go through a process of getting an Apple MDM Push Certificate (sometimes known as APNS).  This allows the Intune System to communicate with the Apple Devices.

The process for this is as follows:

1. Move through from “Manage” into:
   Device Enrollment. 
2. Apple Enrollment, and click on “Apple MDM Push Certificate” 
3. Downloading a “Certificate Signing Request” from the “Download your CSR” link: 
4. Going to https://identity.apple.com/pushcert/ and login with the Apple ID you created earlier. 
5. Go to “Create a Certificate” and it will ask you to upload the CSR created in Step 3. 
6. “Download” the certificate from the Push Certificate Portal. 
7. Once this is downloaded, type the Apple ID you used to create the Push Certificate in section 3 of the prompt, and upload the file that you downloaded from the Push Certificate Portal.  This will usually have the name “MDM_ Microsoft Corporation_Certificate.pem” 

Below is a screen outlining the above:

Once the Certificate is uploaded – you’ll be ready to add devices into the Intune system and this is the focus of the second blog post in this series.