Preparation & Overview
      Back to home
      1. Help Center
      2. Onboarding
      3. Preparation & Overview

      Tenant Preparation

      This article reviews the checklist of pre-requisites for setting up Intune to be managed by Devicie

      First-time onboarding? Read this after:
      Guide to reviewing new configuration

      Introduction

      Devicie runs as a management layer on top of Microsoft Intune to make it easier to manage your endpoint devices, patching, and application updates.

      For Devicie to connect to your Intune environment, there are some pre-requisite features to activate within Intune. This article will guide you how to safely turn on these features ahead of your Kickoff call with our team.

      Intune Tenant Preparation

      1.  Authorize the Device API

      The very first step in connecting Devicie is to authorize our API as an application to manage Intune. As soon as you signed your contract with Device, the authorization URL was sent to your team. If this step has not been completed, reach out to your Account Executive or Solutions Engineer and they can resend it to you. Authorizing the Devicie API requires the Global Administrator Role.

      Our API Permissions Explained article reviews each permission that is being asked for in the API authorization.

      2.  Allow Devices to Join to Entra

      You will use Devicie to manage the process of transitioning your devicies from a legacy on premise environment all the way to cloud native. To open up this process, it is essential that you allow devices to join to Microsoft Entra for cloud identity management. Here is Microsoft's article on Entra joining devices.

      To do this, navigate in the Azure portal to Devices > Device Settings, or click here to go directly there.

      Select either “All” (recommended) or “Selected” (if you have a reason to exclude certain groups).

       

      3.  Turn on Windows LAPS

      On the same page, scroll down and Enable Microsoft Entra Local Administrator Password Solution (LAPS) and then hit Save. See Microsoft's article on LAPS.

      laps_on

      4.  Enable Azure Enterprise State Roaming

      To allow users to sync their settings and application across devices, you will need to allow for Enterprise State Roaming. See Microsoft's article on Enterprise State Roaming.

      Go directly or navigate in the Entra portal to Identity > Devices > Overview > Enterprise State Roaming. Change the setting to “All” (Recommended) or “Selected” (if you need to exclude certain groups).

      5.  Configure Automatic MDM Enrolment Settings

      Go directly or navigate in the Intune portal to Devices > Enrollment > Automatic Enrollment and set the MDM User Scope to “All” (Recommended) or “Some” (if you need to only include certain groups). See Microsoft's article on enabling automatic enrollment.

      6.  Enrollment CNAME

      Configuring an enrollment CNAME will remove the need for users to enter MDM information when enrolling devices. These CNAME records should be added to domains that match a user’s UPN (User Principal Name) or email address used for signing into devices. See the Microsoft article on enabling autodiscovery of the enrollment server.

      You should first create the two required DNS records through the service that manages the DNS for your corporate domain (GoDaddy, Cloudflare, Namecheap, Azure, Route53 etc).

      Record 1

      Type:  CNAME
      Host name:  EnterpriseEnrollment.company_domain.com
      Points to:  EnterpriseEnrollment-s.manage.microsoft.com
      TTL:  One hour

      Record 2

      Type:  CNAME
      Host name:  EnterpriseRegistration.company_domain.com
      Points to:  EnterpriseRegistration.windows.net
      TTL:  One hour

      After the records are created, wait a few minutes and then validate them by going directly here or navigate in the Intune portal to Devices > Enrollment and selecting “CNAME Validation”. Enter your corporate domain and click Test.

      If your organization uses more than one UPN suffix, create one CNAME for each domain name and point each one to EnterpriseEnrollment-s.manage.microsoft.com.

      7.  Enable Windows Hello for Business

      It is recommended to leave Windows Hello for Business as "Not configured" and to enable/disable this setting using configuration policies.

      8.  (Recommended) Block Personally Owned Devices

      If the company policy is to block BYOD/personally owned devices, we recommend that you block personally owned (BYOD) devices from being joined to your environment. To do so, go here directly or navigate in the Intune portal to Enrollment Restrictions > All Users > Properties and click “Edit” next to Platform Settings. Then turn the setting to “Block” on the Personally owned column for all platforms, then hit Save.

      Here is Microsoft's article on enrollment restrictions.

      9.  Confirm the assignment of Intune licenses

      Microsoft Intune licenses are required to manage any user devices. Please ensure that an Intune license is assigned to all necessary users and/or devices.

      You can use this link to check license status (if you have the required permissions).

      Most commonly this is provided through Microsoft 365 licenses. The following Microsoft 365 licenses include Intune:

      • Microsoft 365 Business Premium
      • Microsoft 365 E3 
      • Microsoft 365 E5

      Intune is also available as an add-on to other Microsoft 365 licenses that don't include Intune. 

      Please ensure that all relevant users have an assigned license. 

      10.  Create a Devicie Admin User

      As part of onboarding, you will be assigned a Solutions Engineer who will help configure your environment to rollout Devicie. For them to be successful, they will need an account within Intune. Create one new Cloud-only account (unlicensed) for the email address of your Solutions Engineer. Assign the following roles below:

      • Intune Administrator
      • Security Reader
      • Office Apps Administrator
      • Edge Administrator

      11.  Create a Test User

      We will also assist you with testing configuration changes to your Intune environment. In order to test end user experience, create a new "standard user" which is alike in every way to a normal user within your organization.

      We will work with you on extensive end to end testing of your Intune configuration so that you are prepared to rollout new configurations to all users and devices in your organization. This includes things like:

      • Windows autopilot deployment
      • Zero touch deployments for MacOS, Android, iOS
      • Application deployment
      • Policy configurations and restrictions

      We will coordinate access to this standard user account on your Kickoff call.

      12.  Allow Devicie as an External Collaborator in Teams

      In order collaborate faster during onboarding, we encourage you to add devicie.com as an allowed external domain in Teams.

      Here are instructions from Microsoft on how to specify a trusted organization.

       

      Congratulations! You have completed all tenant preparation steps. We look forward to seeing you at the kickoff call.