May 09 2022 06:24 AM
Hi
Basically, I am referring to the following article:
You don't have permissions to enroll a Windows device in Intune - Intune | Microsoft Docs
I have devices here that use Office 365 but are not synchronized with Azure AD Connect. This is also not possible (different AD). In order to be able to simplify a few points (conditional access, office installation), I would like to bring the devices into Intune.
The easiest way seems to me to be via the Company Portal App. And here's the point: isn't there a way to do this reasonably on existing devices without requiring the user to be a local admin?
How do you do this? Or is there a way to "take away" the user's admin rights after the Intune enrollment?
I hope I was able to adequately describe my concern. Otherwise just ask please.
May 09 2022 07:59 AM
May 09 2022 09:57 AM
Not quite clear what the situation is so I have a few questions:
By the way, It's not a requirement to have Intune managed devices to use conditional access. Conditional access can allow or restrict access to Microsoft 365 resources when users sign-in (identity-driven signals) using a managed or unmanaged devices, local apps or the browser. https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview
May 10 2022 12:17 AM
May 10 2022 10:00 PM
May 10 2022 10:56 PM
May 10 2022 10:56 PM
May 11 2022 03:47 AM
May 11 2022 11:27 AM
I'm with @Moe_Kinani on this one. Both choices or good. Option 2 is the easiest.
May 11 2022 11:56 PM
May 16 2022 02:30 PM
@RomanK7 in your previous reply you say;
2. Login on Device with their on-premise account.
3. AD Joined Device with no local Admin rights.
4. Right, only MDM enrolled
Just checking to make sure if I understand you correctly. You don't want these devices to be Azure AD joined right? If that is the case, you can go for MDM only enrollment like Moe explains. (option 2)
Yes, you will have to use a local admin account to do this, and if I'm right, your devices are already domain joined right? If that's true, by default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain.
This means you can sign in with a domain admin to the device and then MDM enroll the device using MDM only enrollment. If you don't want to sign-in with a domain admin account. You can create a GPO to update the local administrators group on your devices and add a domain user to this group. Later on, you can update the local administrators group again, and remove the account.
Now for the MDM only enrollment part. The best thing you can do is
Here's what the docs tell:
This enrollment method isn't recommended because:
It doesn't register the device into Azure Active Directory (AD). Users might not get access to organization resources, such as email.
It prevents using some Azure AD features, such as Conditional Access.
(however... you could use some conditional access policies and target devices using Filter for devices - device.trustType -ne "AzureAD" -and device.trustType -ne "Workplace")
The next step could be for the user to actually Azure AD register the device. This will make it easier and more convenient for the users to use the Office apps. Users do not have to be a local admin to register the device.
If for what ever reason, the user himself cannot MDM enroll the device, then you could go for a DEM account. However, normally, you would not use a DEM account to enroll devices using MDM only enrollment. I know it works, but I'm not sure if it's supported.
Here's what the docs tell:
You can use the following methods to enroll devices using DEM accounts:
In the end I have to say... just (hybrid)Azure AD joining the devices, will make life a lot easier.
Hope this helps
Oktay
Jun 07 2022 06:38 AM
I try to explain better.
We have connected companies with "Azure Active Directory Connect cloud sync". (NOT Azure Active Directory Connect sync)
https://docs.microsoft.com/en-us/azure/active-directory/cloud-sync/what-is-cloud-sync
The identity can be synchronized. But unfortunately not the devices.
In order to be able to manage these now (limited), the idea is to bring them to intune via the company portal.
Some of these devices are in the domain of the other company and the users do not have local admin rights. Now my question is what is the best way to do it?