Join Azure and MobileIron for Windows 10

This section describes how to set up Azure and MobileIron Core platforms to share data about device compliance. Administrators use shared compliance information to set up rules for blocking access to applications (Office 365, for example) until the device is in compliance.

Prerequisites for joining Azure and MobileIron

We recommend you have met the following prerequisites before starting this section:

• Standard prerequisites for all Azure services

Join Azure and MobileIron work flow

This section describes the overall work flow for joining Azure and MobileIron for Windows 10 devices:

• Set up Azure to join with MobileIron
• Set up MobileIron to join with Azure
• Manage device compliance

Set up Azure to join with MobileIron

The first step to join Azure with MobileIron is to set up Azure.

NOTE:

These steps can change without notice. Contact Microsoft for the most up-to-date instructions.

Add the MDM application

Follow this procedure to add the Mobile Device Management (MDM) application to Azure.

1. Log into the Microsoft Azure portal.
2. In the left panel, click Azure Active Directory.
3. Click Mobility (MDM and MAM).
4. Click + Add application.
5. Select the generic On-premises MDM application.

6. Enter a unique name that can easily be remembered to associate with MDM sign up and then click Add.

   The app with the name you selected is added to a list of apps in the directory it was assigned.

   Note the following information:

   • Only one MDM vendor can be associated at a time.
   • If you add Intune, only Microsoft can remove the app manually.
   • You can have multiple on-premise MDM apps at the same time, but make sure these apps' user scopes do not overlap.
   • MobileIron_MDM is used only for cloud customers.

7. Complete the steps in Join Azure and MobileIron for Windows 10.

Configure the application

This procedure describes how administrators configure the settings required to connect to their instance of MobileIron.

1. Open the MDM app you created.

2. On the Configure page, enter the URL of your MobileIron instance into the following fields:

   • MDM DISCOVERY URL
   • MDM TERMS OF USE URL
3. Add /EnrollmentServer/Discovery.svc after .com in the MDM DISCOVERY URL field.
4. Add mifs/aad after .com in the MDM TERMS OF USE URL field.

5. In the MDM user scope field, select All to apply configuration to all users. Select Some if you want to a specify a group (Additional fields will display.)

   NOTE:

   Applying the configuration to None will negate using this app to any users in the directory and will bypass using MobileIron Core for MDM management.

   

6. Click the On-premises MDM application settings link.
7. In the Overview tab, click Application ID URI and in the new page, click Edit to enter the URL of your MobileIron instance.
8. In the left panel, click Authentication.
9. Add a new entry of redirect URIs, select the web type, enter the URL of your MobileIron instance for redirect URIs, and then click Save. 
10. Copy the Application (client) ID. You will enter this into the Azure Client ID field in MobileIron (see Set up MobileIron to join with Azure).
11. In the left panel, click Certificates and Secrets.
12. To add a new key, click +New client secret.

13. Copy and save the new key. You will enter this into the Azure Key field in MobileIron.

    Note the following:

    • This key is also called a "client secret key" to the Application Client ID.
    • Select a 1- or 2-year activation period for the key.
    • The key is not visible until the configuration is changed.
    • The key is only visible after you save the configuration for the first time.
    • You can generate a new key, for any reason, using the same steps.
14. In the left pane, click API permissions. Note that under Permissions, the AAD Graph Read / Write device permissions field is selected.
15. Click +Add permissions.
16. Select Azure Service Management.
17. In the Azure Service Management page, click Delegated permissions.
18. In the Permissions section, select the user_impersonation check box and then click Add permission.
19. Complete the steps in Set up MobileIron to join with Azure.

Set up MobileIron to join with Azure

The second step to join Azure with MobileIron is to set up MobileIron.

1. Log into the MobileIron Admin Portal.
2. Select Settings > System Settings > Windows > Advanced Menu.

3. Select Enable Microsoft Azure Menu.

   NOTE:

   You do not need to turn on the Enabling Custom SyncML Menu option to work with Azure. However, if it was already turned on, do not turn it off as it might be required for other features in MobileIron.

4. Click Save.
5. Click the Systems Settings tab.

6. Go to Windows and click Microsoft Azure.

   Until you enabled this option, it was unavailable as a Windows setting.

7. Click Enable Azure Device Compliance.
8. Enter the appropriate information for:
   • Azure Domain: the name of your Azure tenant
   • Azure Client ID: the Client ID you noted from your Azure Configuration
   • Azure Key: the key you noted from your Azure Configuration

9. Click Save.

   You can edit the information at any time.

10. Provide your device users with the steps in Register devices in AAD and MDM.
11. Complete the steps in Manage device compliance.

Manage device compliance

Finally, now that the device is managed, MobileIron Core can begin to report compliance to Azure.

• Administrators can set up rules in MobileIron Core to determine if a device is out of compliance.
• MobileIron can sends that information to Azure, when a device becomes is out of compliance.
• If an administrator sets up rules in Azure, they are put in place when the device is out of compliance.

Azure Compliance Setting

The Trust Level, in Azure, indicates if a device is compliant or not.

• Compliant: the device is compliant
• Managed: the device has fallen out of compliance