Using Microsoft Azure
Ivanti Neurons for MDM can be setup with Microsoft Azure for seamless enrollment for your users on their Windows desktop and Tablets devices running on Windows 10. Follow the steps below to configure and connect your instances.
This section contains the following topics:
Setting up AAD account
To set up Azure AD:
-
Go to https://azure.microsoft.com/en-in/pricing/purchase-options/ to purchase your Azure account.
-
Use your existing Hotmail or Outlook.com account, or create a new account and register as a new user.
-
Buy an Azure account by using one of the payment options and following the verification steps.
-
Ask Microsoft to Allowlist the Ivanti Neurons for MDM tenant.
-
Use the same Hotmail or Outlook.com account you used in step 2 to login to AAD at https://manage.windowsazure.com/ as an admin.
-
Go to Domain tab.
A default the domain, TestMiBGLRoutlook.onmicrosoft.com, is created for your account and any users created will belong to this domain. If needed you can recreate a custom domain.
Creating Users on Azure AD
To create users on Azure AD:
-
Go to active directory - > Default Directory - >Users.
-
Selecting the Add user option -> Select New user in your organization.
-
Enter the username. Click next (->).
The User Profile page is displayed.
-
Add the user information such as, first and last name and the display name.
-
Use the dropdown menu to assign the appropriate role to the user.
-
Generate the temporary password.
The user will be required to change this password at the first login.
Connecting AAD to UEM for Windows 10 Devices
To connect AAD to UEM:
-
Go to Admin > Microsoft Azure > Windows Enrollment And Compliance Using AAD.
-
Complete the UEM setup steps described in the section, Azure Active Directory Windows 10 Unified Endpoint Management Setup
-
Complete the Assigning AAD UEM app setup in the Azure portal.
- In the Ivanti Neurons for MDM Admin Portal, type the domain name of your AAD account, and click Connect Azure portal, and then select the checkbox.
- After signing in successfully, accept the consent that allows MobileIron AD Tenant Validation APP to verify that your Ivanti Neurons for MDM UEM APP is set up. A message appears indicating a successful connection.
Microsoft Passport for Work for Windows 10 Devices
Microsoft Passport for Work is replaced with Windows Hello for Business. For more Information, see Windows Hello for Business Configuration.
Windows device AAD enrollment
Prerequisites
Users must be registered in Ivanti Neurons for MDM.
Connect your domain to enroll user on their Windows 10+ devices.
-
Click Join Azure AD.
-
Enter username and password.
- Click Sign-in.
- Accept the EULA
- Click Create PIN.
If you have enabled Microsoft Passport for Work PIN complexity, you are prompted to set up a complex PIN as per the configured policy.
Azure AD authenticates the user and downloads a JWT (JSON Web Token) to the device.
The device is now enrolled.
User is contacted through the device for verification.
- Enter and confirm a PIN.
- Click OK.
Multi-User Support for Windows devices
Ivanti Neurons for MDM supports multi-user capabilities for the Windows 10 Azure AD enrolled devices. This capability includes pushing some profiles like VPN, WiFi, default email client profiles and Certificates to an individual user and not a device. It also supports distribution of in- house and public apps for the logged- in user. Each time a new Azure AD user logs onto a device, Ivanti Neurons for MDM evaluates not just the device but also the user. If the user is new, Ivanti Neurons for MDM updates the device for that user. If the user is an existing user on the device then any changes to the device and user settings that need to be updated since their last login are evaluated.
The details of the Azure AD user who is logged into the device are reported in the Ivanti Neurons for MDM Admin portal. When the user logs out of the device and the second user logs into the device, the details of the second user is updated in the device details page.
Setting up Microsoft Store for Business with UEM
Microsoft Store for Business is a portal provided by Microsoft as a part of Azure. Administrators can login to this portal and shop the apps and distribute them to all the managed devices. Ivanti Neurons for MDM can be setup with Microsoft Store for Business to manage applications from within the Ivanti Neurons for MDM admin portal by setting up the following steps.
Step 1: Registering AAD application in the Microsoft Azure Portal
- Open the first browser and log into the Microsoft Azure portal (https://portal.azure.com/).
- Click App registrations on the left pane.
- Click +New application registration
-
Enter the following information to register MobileIron as an Azure app:
- Name: Enter a name for the MobileIron app. (This field is required with a minimum of 4 characters.)
- Application Type: Select Web app / API.
- Sign-on URL: Enter the URL device users access to sign into MobileIron (required).
- Click Create to add the app and return to the Azure home page.
- Go to Settings and create a new key.
Step 2: Adding the application as a management tool
- In Microsoft Store for Business Settings, click Manage
- Distribution Settings
- In the Add Management tool activate the created application.
Connecting the account in the Admin Portal
- Go to Admin > Microsoft Azure > Microsoft Store for Business.
- Under Step 1, Register AAD application, select the checkbox Yes, I completed this step.
- Under Step 2, Add Management Tool, select the checkbox Yes, I completed this step
- Under Step 3, Connect Account, update the following fields:
- Azure AD Domain
- Application Identifier
- Application key
- Sync Interval (hours)
- Click Connect.You will see a confirmation message that the MobileIron store for business is successfully setup.
- Click Sync App.When successfully synced, the status displays as Applications synced successfully.
When the Microsoft Store for app is pushed to the device, the app details are available in the under Installed apps tab in the device details. Each Microsoft Store for business app reported from device, can be identified as Microsoft Store for Business in the Source column.