Microsoft Intune Integration

DSM provides the option of using a Microsoft Intune connector to upload the DSM client MSI and NCP files into Intune. This action enables new endpoints to automatically register into DSM when an end user starts using their device for the first time. You can configure the Intune connector directly in the DSMC settings (ICDB). This feature leverages the Autopilot, Intune, and Azure AD infrastructure from Microsoft.

Without this feature, for a new endpoint to be registered in DSM, it must be connected to the company network for DSM to push the DSM client package and/or be auto-inserted in DSM.

A single-click action menu (DSM Settings > Upload DSM Client To Intune) enables you to upload the current DSM agent (MSI file, NCP file, as well as two batch files to install/uninstall the MSI) as a package to Intune.

Once the DSM agent is installed on endpoint devices via Intune, the following registry key is automatically set that identifies all Intune installed devices: HKLM\SOFTWARE\netsupport\netinstall\Intune.

Prerequisites

Install Microsoft .NET Framework 4.8 on the BLS server and other endpoints where the DSM Settings > Upload DSM Client To Intune menu is used.

Activate TLS 1.2 on both the BLS server and the HTTP depot. See this article for details: TLS 1.2 enforcement for Azure AD Connect

Configure a hybrid Azure AD join for managed domains. See this article for details: Configure hybrid Azure AD join. Note that Azure AD needs to be synced with the local domain that DSM is using.

Have a Microsoft 365 subscription for Microsoft Endpoint Manager, with this configuration:

Activate MDM: Go to the Azure portal (portal.azure.com) and select Azure Active Directory > Microsoft Intune > All to enable the MDM user scope and MAM user scope.

Activate enrollment: Go to the Azure portal (portal.azure.com) and select Azure Active Directory > Mobility (MDM and MAM) > Microsoft Intune Enrollment > All to enable the MDM user scope.

Create an Azure application (a tenant) manually, according to the guide here: https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal.

Assign application permissions in Intune for the Microsoft Graph API. The list of required permissions is:

Group – Read, Write

Directory – Read, Write

DeviceManagementApps – Read, Write

DeviceManagementConfiguration – Read, Write

DeviceManagementServiceConfig – Read, Write

DeviceManagementManagedDevices – Read, Write

Applications – Read, Write

Configuring DSM

DSM has three new text fields in Infrastructure (advanced mode) used to connect to your Azure environment. The fields to store in DSM are found at https://portal.azure.com/ > App registrations. Select the created app:

Tenant ID – “Directory (tenant) ID”

Application ID – “Application (client) ID”

Client Secret (stored encrypted in DSM) – found in “Certificates & secrets”

The DSM Infrastructure tab with the new Intune Integration settings looks like this:

Integrating with Intune

To integrate with Intune, use the single-click-action menu DSM Settings > Upload DSM Client To Intune to automate several steps:

Package the DSM client MSI and NCP files into .intune file format, as required by Intune. This is performed using a tool from Microsoft that is included in the iso. You must agree with the license present here: https://github.com/microsoft/Microsoft-Win32-Content-Prep-Tool/blob/master/Microsoft%20License%20Terms%20For%20Win32%20Content%20Prep%20Tool.pdf

Upload the package to Azure storage.

Assign the new application to all endpoints.

The new menu calls a new tool, C:\DSM\DSMIntuneConnector.exe. The produced log is located at C:\Program Files (x86)\Common Files\enteo\NiLogs\BLS\bls_DSMIntune.log.

You will need to manually upload the DSM client to Intune each time a new DSM version is installed or when relevant settings are changed in the ICDB. Each new upload updates the existing DSM client package in Intune by overwriting the older package. This is required so that new endpoints can pick up the latest version of the DSM client and NCP file; otherwise, changes in the newer versions may prevent older clients from connecting to the updated BLS server.

The tenant application from https://endpoint.microsoft.com/ is called Ivanti DSM Client and includes the version number.

The DSM client package is pushed to endpoint devices and installed after the user logs in.