Join Azure and Ivanti EPMM for Windows 10

This section describes how to set up Azure and Ivanti EPMM platforms to share data about device compliance. Administrators use shared compliance information to set up rules for blocking access to applications (Office 365, for example) until the device is in compliance.

Prerequisites for joining Azure and Ivanti EPMM

We recommend you have met the following prerequisites before starting this section:

Join Azure and Ivanti EPMM work flow

This section describes the overall work flow for joining Azure and Ivanti EPMM for Windows 10 devices:

Set up Azure to join with Ivanti EPMM

The first step is to Set up Azure to join with Ivanti EPMM.

To set up Ivanti EPMM with Microsoft Azure Intune, see Azure Tenant.

These steps can change without notice. Contact Microsoft for the most up-to-date instructions.

Add the MDM application

Follow this procedure to add the Mobile Device Management (MDM) application to Azure.

  1. Log into the Microsoft Azure portal.
  2. In the left panel, select Azure Active Directory.
  3. Select Mobility (MDM and MAM).
  4. Select + Add application.
  5. Select the generic On-premises MDM application.
  6. Enter a unique name that can easily be remembered to associate with MDM sign up and then select Add.

    The app with the name you selected is added to a list of apps in the directory it was assigned.

    • Only one MDM vendor can be associated at a time.
    • If you add Intune, only Microsoft can remove the app manually.
    • You can have multiple on-premise MDM apps at the same time, but make sure these apps' user scopes do not overlap.
    • _MDM is used only for cloud customers.
  7. Complete the steps in Configure the application.

Configure the application

This procedure describes how administrators configure the settings required to connect to their instance of Ivanti EPMM.

  1. Open the MDM app you created.
  2. On the Configure page, enter the URL of your Ivanti EPMM instance into the following fields:

  3. Add /EnrollmentServer/Discovery.svc after .com in the MDM DISCOVERY URL field.
  4. Add mifs/aad after .com in the MDM TERMS OF USE URL field.
  5. In the MDM user scope field, select All to apply configuration to all users. Select Some if you want to a specify a group (Additional fields will display.)

    Applying the configuration to None will negate using this app to any users in the directory and will bypass using Ivanti EPMM for MDM management.

    Configuring MDM user scope dialog box

  6. Select the On-premises MDM application settings link.
  7. In the Overview tab, select Application ID URI and in the new page, select Edit to enter the URL of your Ivanti EPMM instance.
  8. In the left panel, select Authentication.
  9. Add a new entry of redirect URIs, select the web type, enter the URL of your Ivanti EPMM instance for redirect URIs, and then select Save
  10. Copy the Application (client) ID. You will enter this into the Azure Client ID field in Ivanti EPMM (see Set up Ivanti EPMM to join with Azure).
  11. In the left panel, select Certificates and Secrets.
  12. To add a new key, select +New client secret.
  13. Copy and save the new key. You will enter this into the Azure Key field in Ivanti EPMM.

    • This key is also called a "client secret key" to the Application Client ID.
    • Select a 1- or 2-year activation period for the key.
    • The key is not visible until the configuration is changed.
    • The key is only visible after you save the configuration for the first time.
    • You can generate a new key, for any reason, using the same steps.
  14. In the left pane, select API permissions. Note that under Permissions, the AAD Graph Read / Write device permissions field is selected.
  15. Select +Add permissions.
  16. Select Azure Service Management.
  17. In the Azure Service Management page, select Delegated permissions.
  18. In the Permissions section, select the user_impersonation check box and then select Add permission.
  19. Complete the steps in Set up Ivanti EPMM to join with Azure.

Set up Ivanti EPMM to join with Azure

The second step is to join Azure with Ivanti EPMM.

  1. Log into the Ivanti EPMM Admin Portal.
  2. Select Settings > System Settings > Windows > Advanced Menu.
  3. Select Enable Microsoft Azure Menu.

    You do not need to turn on the Enabling Custom SyncML Menu option to work with Azure. However, if it was already turned on, do not turn it off as it might be required for other features in Ivanti EPMM.

  4. Select Save.
  5. Select the Systems Settings tab.
  6. In the left navigational pane, go to Microsoft Azure and expand the section. Alternately, find the Microsoft Azure tile on the Systems Settings page.
  7. Select Autopilot & Device Compliance for Windows. The Autopilot & Device Compliance for Windows page opens.
  8. Select the Enable Azure Device Compliance check box. New fields display below.
  9. Enter the appropriate information for:
    • Azure Domain ID - The name of your Azure tenant.
    • Azure Client ID - the Client ID you noted from your Azure Configuration.

    • Azure Key - the key you noted from your Azure Configuration.
  10. Select Save.

    You can edit the information at any time.

    If you are unable to connect to the Azure portal while trying to connect from Ivanti EPMM, see this KB article.

  11. Provide your device users with the steps in Register devices in AAD and MDM.
  12. Complete the steps in Manage device compliance.

Manage device compliance

Finally, now that the device is managed, Ivanti EPMM can begin to report compliance to Azure.

  • Administrators can set up rules in Ivanti EPMM to determine if a device is out of compliance.
  • Ivanti EPMM then sends that information to Azure, when a device becomes out of compliance.
  • If an administrator sets up rules in Azure, they are put in place when the device is out of compliance.

Azure Compliance Setting

The Trust Level, in Azure, indicates if a device is compliant or not.

  • Compliant: the device is compliant
  • Managed: the device has fallen out of compliance