Suggested audience: This article is for the local authorities that have expressed interest in the Hwb Intune rollout.
Microsoft Intune is where you can manage Windows 10 devices. With this, you can leverage the power of the cloud to manage your devices wherever they are. You can set restriction and configuration profiles, deploy applications, set compliance policies, and much more.
There are two portals for accessing Intune:
Endpoint Manager - https://endpoint.microsoft.com/
The Endpoint Manager portal offers the complete set of Mobile Device Management tools, including access to the Autopilot and Apple Deployment Program management. Endpoint Manager is recommended for use by administrators with technical knowledge and training.
Intune for Education - https://intuneeducation.portal.azure.com/
Intune for Education provides a less technical interface for school users to be able to manage their devices and deploy applications in a more friendly way. Intune for Education is recommended for school digital champions.
Both portals access the same Intune service, with the settings in Intune for Education simplified for easier use. The changes you make in one portal are also available in the other.
Not all settings in Endpoint Manager are available in Intune for Education. Intune for Education has been simplified to be more user friendly.
In order to begin using Hwb Intune, local authorities must ensure the following on behalf of their schools:
- Tools and services used by learners and teaching staff can be accessed via their Hwb accounts in the cloud. This includes ensuring all user data is hosted via the Hwb Office 365 tenancy (OneDrive, SharePoint etc.)
- Devices to be managed through Hwb Intune must be licenced, as a minimum, with Windows 10 Pro or Windows 10 Pro Education - https://hwb.gov.wales/support-centre/hwb-services/microsoft/microsoft-365-licences/
- Staff accessing devices managed through Hwb Intune must have an M365 licence applied through the User Management Portal - https://hwb.gov.wales/support-centre/hwb-services/user-management/#microsoft-365
There are 3 main roles for providing access to Intune and its functionality:
- Local Authority Administrators: These users have almost full access to all Intune settings and options, but can only see and act on those scoped to their local authority, including schools. This role assignment can be requested via the Hwb Service Desk.
- Secondary School Administrators: These users have the same access as Local Authority Administrators, but can only see and act on those within their school. This role assignment can be given to individual school staff by their Local Authority Administrators via the User Management Portal, if they wish to delegate these controls. See Intune Device Group Management guidance on the User Management Portal page.
- School Digital Champions: These users have limited access with abilities for managing devices and deploying apps within their school. They cannot configure any configuration profiles. This role assignment will be given to all School Digital Champions in a school on request from the Local Authority if they wish to delegate these controls.
Each administrative role assignment is given a scope tag. These scope tags are unique to each local authority or school and are based on the local authority or DfES number.
Whenever a configuration item is created in Intune (such as configuration policies, apps, enrolment profiles, etc.) it is also given the scope tag(s) of the person who created them. Scope tags can be added to an item to make it visible to other administrators, or removed to hide it. An administrator can only see or manage the configuration object or group of devices/users if they have been assigned the matching scope tag.
Local Authority Administrators will have their own scope tag as well as those of every school in that authority. School administrators will only have the scope tag corresponding to their school. This means that if a school creates a configuration item the local authority will also be able to see if, but not vice versa unless the scope tag is consciously added.
The scope tag is only needed if you wish to make that configuration object visible to administrators with the same tag. You can assign a configuration object to a group without a scope tag and it will still apply.
Devices and users are organised into a group hierarchy of schools within local authorities. Configuration objects can be assigned to either a device or user group. Using a hierarchical structure allows common assignments to be placed once at a higher level and inherited by the groups nested within it.
This group structure can be viewed within Intune for Education, and only displays the part of the hierarchy that the administrator is scoped for. In Intune for Education, policy assignments and app deployments can also be made directly on an individual group.
The groups have a naming convention that start with the local authority or school DfES number to identify them.
Intune device groups can be managed in the User Management Portal. For guidance on this please see Intune Device Group Management.
Device enrolment can be done in a variety of ways depending on the device’s ownership and device type.
Bulk enrolment of devices can easily be performed using Autopilot (for Windows devices) and the Device Enrolment Program (DEP, for Apple devices).
A configuration profile is then applied to the device depending on requirements.
There are two main types of device ownership supported by Hwb that can be set during enrolment - One-to-one which is suitable for devices that are primarily used by a single user and Shared which is suitable for classroom usage where the device is not used by the same user.
More detailed information on Microsoft Intune device enrolment can be found in this Microsoft document - Enrollment in Microsoft Intune | Microsoft Docs
Configuration objects are anything in Intune that can be applied to a device or user. This includes objects such as enrolment profiles, device restrictions, network settings, certificates, update settings, apps, and many more.
Configuration objects should be named appropriately, prefixed with the LA or School DfES number to identify who it belongs to. They can be scope tagged so only the appropriate administrators can see and edit them.
Depending on the setting being applied, the configuration item should be assigned to either a device group or user group. Some settings are only applicable to a particular target type.
Most settings will be part of a configuration profile. When creating a configuration profile, you need to choose the target platform (Windows or iOS) and what type of setting is being applied (device restriction, administrative templates, Wi-Fi, custom settings, etc.).
In Endpoint Manager, Configuration profiles can be assigned to an included group or excluded group. Configuration profiles common to multiple groups can be assigned to a parent group in the hierarchy and inherited by the child groups, but if the settings are not applicable to some of the child groups they can be excluded.
It is recommended to create a new configuration profile for ‘unrelated’ settings – for example, settings for OneDrive could all go in the same profile but a setting to change the wallpaper should go in a separate one. This creates a greater flexibility when applying settings to multiple groups with different requirements.
Although settings in a configuration profile are inherited there is no sense of precedence for conflicting settings. If a setting is applied to the same group with differing values, then neither are applied. Conflicts can be investigated through the Monitor menu in Intune.
In Intune for Education, device settings can be applied by going into Groups, selecting the target group from the hierarchy, and toggling the desired controls.
A simplified subset of settings are available for both Windows and iOS devices in Intune for Education, but more comprehensive settings should be made in Endpoint Manager.
Changing device setting in Intune for Education will cause inheritance to break, and the screen will show a message to indicate this. This results in a new profile being created in Endpoint Manager and the group added the excluded assignment in the parent group assignment.
More information on app deployment in Intune can be found in this Microsoft document - Device features and settings in Microsoft Intune - Azure | Microsoft Docs
Applications can be deployed to devices from various sources including Microsoft 365 apps, Win32 apps, Microsoft Store or iPad apps. Even PowerShell scripts can be wrapped in a Win32app and deployed to a Windows device.
Microsoft Store apps must be requested through the Hwb Service Desk (firstname.lastname@example.org) who will make them available in Intune. Only free apps from the Microsoft Store can be requested.
To deploy an app in Endpoint Manager, you need to select the desired app (or add if it if not already available) and configure the appropriate assignment option – Required, Available or Uninstall.
The Required assignments means that the app is automatically installed on the device (for any user) if applied to a device group, or whenever a user logs on (on any compatible device) if applied to a user group.
The Available assignment can only be applied to user groups, which makes the app available for self-service installation in the Company Portal.
The Uninstall assignment means that the app will be uninstalled and can be applied to a device or user group.
Removing a group from the ‘Required’ assignment in Endpoint Manager does not result in the app being uninstalled, it just prevents future users or devices in that group from receiving the app. You must explicitly add the group to the ‘Uninstall’ assignment.
In Intune for Education, you can also assign the apps via the groups. By going into Groups and selecting the target group from the hierarchy, you can then select the desired apps to be installed – this creates a Required assignment on the app in Endpoint Manager. Any existing app assignments will show as already selected and unselecting an app will cause it to be uninstalled – removing the Required assignment and creating a Uninstall assignment in Endpoint Manager.
If an app is common to multiple groups it can be assigned at a higher level in the group hierarchy, and the assignment will be inherited by the child groups.
More information on app deployment in Intune can be found in this Microsoft document - Add apps to Microsoft Intune | Microsoft Docs
Policy sets allow you to bundle configuration objects together in a single assignment, making them easier to manage and update. By adding common configuration profiles or apps to a policy set you only need to make a single assignment to the target group(s).
For example, if you had a policy set that applied configuration objects to all primary schools and you wanted to deploy a new app, you could simply add it to the policy set instead of assigning all the individual school groups in the app object.
Policy sets contain references to the configuration objects included in them. This means that any changes made to the objects will affect the policy set as well.
More information on policy sets can be found in this Microsoft Document - Policy sets - Microsoft Intune | Microsoft Docs
The Company Portal is a special app for use with Intune that provides self-servicing options.
By making apps ‘available’ in Intune, users are able to open the Company Portal app and use it as an app ‘catalogue’. This is most suitable for larger non-essential apps which can then be installed at the user’s convenience.
For further support please contact the Hwb Service Desk: Hwb@gov.wales | 03000 25 25 25.