Getting started with Windows device management

Endpoint Manager MDM gives you access to management options for your Windows 10/11 devices, such as settings and configurations, software distribution, and console actions. MDM enrolled Windows 10/11 devices can also be managed using the Ivanti Agent, enabling hybrid management that combines the capabilities of MDM and traditional agent-based management.

Configuring Endpoint Manager for Windows device management

1.Configure your CSA in the console. The Ivanti Cloud Services Appliance (CSA) provides secure communication and functionality over the internet. The CSA acts as a meeting place where devices, MDM or agent-managed, can communicate with the Endpoint Manager core server—even if they are behind firewalls or use a proxy to access the internet. The CSA requires a third-party certificate for mobile device management. To configure your CSA, see Configuring the Ivanti Cloud Services Appliance.

2.Select your CSA for MDM. To select the CSA you would like Endpoint Manager MDM to communicate with, navigate to Tools > Modern Device Management > MDM Configurations > Common Settings > Cloud Service Appliances (CSA).

3.Secure your web server with a certificate. Your web server must be secured with a trusted, third-party, SSL certificate for Windows direct to core enrollment. Once you have obtained a certificate, bind it to your web server in Internet Information Services (IIS) Manager. For more information, see Binding a web server certificate.

4.Configure Azure for Autopilot and enter Azure credentials. If you will be using Windows Autopilot based enrollment, you need to do some initial configuration in Microsoft Azure and enter Azure credential information in Endpoint Manager. For more information, see Windows Autopilot enrollment.

5.Configure Azure AD and enter Azure credentials. If you will be using Azure AD based enrollment, you need to do some initial configuration in Microsoft Azure and enter Azure credential information in Endpoint Manager. For more information, see Azure AD enrollment.

6.Connect your core to your LDAP server. In addition to querying the core database, Endpoint Manager also provides the directory tool that lets you locate, access, and manage devices in other directories via LDAP. In most deployments, the LDAP configuration points to an Active Directory server. For information about configuring the connection to your LDAP server, see LDAP queries.

7.Set up credentials for using notification services. Endpoint Manager uses Windows Push Notification Services (WNS) to communicate with Windows devices. For information about enabling WNS, see Windows notification services.

Enrolling Windows devices

•Direct to core enrollment. If you will be enrolling devices using On-Premise Active Directory, see Windows direct to core enrollment for information about direct to core enrollment.

You can also create a deep link for direct to core enrollment. For more information, see Deep link enrollment.

•Windows Autopilot enrollment. If you will be enrolling devices using Windows Autopilot, see Windows Autopilot.

•Azure AD based enrollment. If you will be enrolling devices using Azure Active Directory, see Azure AD enrollment for information about Azure AD enrollment.

If you will be enrolling devices that have already been hybrid-joined to Azure AD, you can create a group policy will automatically enroll hybrid-joined devices. For more information, see Group policy enrollment.

You can also create a deep link for Azure AD enrollment. For more information, see Deep link enrollment.

•Hybrid management. Windows 10/11 PCs can also be concurrently managed using the Ivanti Agent. Hybrid management using both the Ivanti Agent and MDM enables extensive device management, combining agent-based management with MDM configuration enhancements. For more information, see Installing the agent for hybrid management.

Managing enrolled devices

•Create agent settings to configure devices. Agent settings for mobile devices allow you to configure device settings and restrictions from the Endpoint Manager console. For more information about the available settings, see Agent settings: Windows MDM Configuration.

•Create software packages for devices. Create MSI software distribution packages and silently distribute them to MDM managed Windows devices. For information on creating and distributing software packages, see Distributing content to MDM managed devices.

•Perform actions from the console. After a device is enrolled, it appears in the inventory, and you can perform actions such as locking the device or viewing the device inventory. Most of these actions are performed by right-clicking on the device in the inventory. For information about available actions, see Device actions.