Adding an Intune device manager

Edit online

Configure Microsoft™ Intune as your device manager.

Before you begin

Note: The mtlsidaas global tenants for device managers are now deprecated and will be removed after March 2024. Go to Obtaining a vanity hostname to request a vanity domain. For more information, see Adding a device manager.
  • You must have administrative permission to complete this task.
  • Log in to the IBM Verify administration console as an Administrator.

About this task

Supported operating systems
  • Windows 8.1 and later
  • MacOS 10.13 and later
Note: If you are using MacOS Safari, you might encounter an issue in which you are not prompted for the client certificates that are issued by the Intune device manager. To resolve the issue, you must configure the MacOS Keychain identity preference.
  1. On your Mac system, go to Keychain Access.
  2. Add an Identity Preference for the client certificate.
  3. Set the identity preference location to tenant authentication URL + (space) + (com.apple.Safari). For example, https://{mtls_enabled_tenant_name}/usc.
The identity preference is now found in Keychain Access > login > All items and the certificate prompt works correctly.

Procedure

  1. Select Authentication > Device managers.
  2. Select Add device manager.
  3. Select the Type of device manager that you want to set up.
  4. Select Next.
  5. On the General settings page, provide the following information.
    • Enter the Device manager name in the provided field.
    • Select the Identity provider from the menu.
    • Select the Trust type from the menu. For Device trust selection, the users need to login with their configured first factor authentication mechanism. Device trust only confirms if the authentication is done from managed device or not.
      Note: The Device trust feature CI-114829 can be enabled upon request. To request this feature, contact your IBM Sales representative or IBM contact and indicate your interest in enabling this capability. Create a support ticket if you have permission. IBM Verify trial subscriptions cannot create support tickets.
    • Select whether to enable just-in-time provisioning for user accounts.
      Note: The Just-in-Time (JIT) provisioning for user accounts is only applicable in case of User and device trust selection.
    • Select the Client certificate validity period. By default, the selection is 3 years.
    • Specify the maximum number of certificates for each device.
    • Specify how many minutes that the user and device information is kept.
  6. Select Next.
  7. On the API credentials page, enter the API details of your application in Azure Active Directory.
    • If you already have the application, select Form only.
      1. Provide the application ID, secret, and the tenant name.
      2. Select Unique user identifier from a predefined list of attributes, or select Custom Rule to specify attribute mappings. If you select to use a custom rule, you can add custom attributes and a rule. Type the rule to compute the attribute value. For example, 
        requestContext.email[0].split('@')[0]
        Note: The custom rule selection is not applicable to Device trust. However, you can enter the appropriate attribute in the provided field.
      3. Select Test credentials to verify your credentials.
      4. Select Next.
    • If you are creating an application, select Show with steps and follow the instructions.
      1. In the Azure portal, go to Azure Active Directory > App Registrations and the select New registration.
      2. On the Register an application page, specify the following details.
        Name
        Enter a meaningful app name, for example IBM Verify.
        Supported account types
        Select Accounts in any organizational directory.
        Redirect URI
        Leave the default section of Web, and then specify the sign-on URL for the third-party SCEP server.
      3. Select Register.
      4. From the app overview page,copy the Application (client) ID value and paste it in the Enter app ID field.
      5. In the navigation page for the app, under Manage, select Certificates & secrets and select New client secret.
      6. Enter a description, select any option for Expires, then click Add.
      7. Paste the client secret in the Enter app secret field.
      8. Copy the Tenant ID, which is the domain text after the @ sign in your account, and paste it in the Tenant name field.
      9. Select or type a unique user identifier attribute.
      10. In the navigation page for the app, under Manage, select API permissions, and select Add a permission.
      11. Select Intune and then select Application permissions. Select the checkbox for scep_challenge-provider.
      12. Select Add permissions.
      13. In the navigation pane for the app, under Manage, select API permissions, and select Add a permission.
      14. Select Microsoft Graph, and then select Application permissions. .
      15. Select the checkbox for DeviceManagementManageDevices.Read.All, User.Read.All, and Application.Read.All.
      16. Select Add permissions.
      17. Select Grant admin consent for Microsoft, and then select Yes.
      18. Select Test credentials to verify your credentials.
      19. Select Next.
  8. On the User properties page (opens in case of User and device trust selection) or Device properties (opens in case of Device trust selection), map the device manager attributes to IBM Verify attributes.
    Note: Attribute names are case-insensitive and duplicate attributes are not allowed.
    1. Select the device manager attribute,
    2. Optional: Select a transform from the menu.
    3. Required: Select the Verify attribute that you want to map the attribute to.
    4. Select how you want to store the attribute in the user's profile.
  9. Optional: Click Add attributes.
    If you select to use a custom rule, you can add custom attributes one at a time and a rule. Type the rule to compute the attribute value. For example, 
    idsuser.email[0].split('@')[0]
    Click Run test to make sure the rule works.
  10. Select Save and continue.
    The device manager is saved.
  11. Create the root certificate profile.
    Follow the instructions that are provided.
    1. Download the following root and profile certificates .zip files that are provided.
    2. Sign in to Microsoft Endpoint Manager and open Devices > Configuration profiles.
    3. To create a root certificate profile, select Create profile and choose the following settings:
      Platform
      Select the appropriate platform.
      Profile
      Trusted certificate.
    4. Select Create.
    5. Name the root certificate profile, for example WIN10_RootCA_Cert, and select Next.
    6. Upload the root certificate profile that you downloaded in Step 1, set the destination store to Computer certificate store - Root, and select Next.
    7. Set Assign to to the users or groups that you want to test with and select Next.
    8. Select Create.
    9. Repeat steps 2-8 for the intermediate certificate.
  12. Select Next.
  13. On the SCEP certificate profile page, enter the API details of your application in Azure Active Directory.
    • If you already have a SCEP certificate profile, select Values only.
      1. Provide the subject and SCEP URL.
      2. Select Next.
    • If you are creating a SCEP certificate profile, select Show with steps and follow the instructions.
      1. To create a SCEP certificate profile, select Create profile and choose the following settings:
        Platform
        Select the appropriate platform.
        Profile
        TrustedSCEP certificate.
      2. Select Create.
      3. Name the root certificate profile, for example WIN10_RootCA_Cert, and select Next.
      4. Use the following configuration settings:
        Certificate Type
        User.
        Subject name format
        Custom.
        Custom
        Automatically generated CN.
        Subject alternative name
        User principal name (UPN).
        Certificate validity period
        1 Year.
        Key storage provider (KSP)
        If available, enroll to Trusted Platform Module (TPM) KSP, otherwise enroll to Software KSP.
        Key usage
        Key encipherment, Digital signature.
        Key size (bits)
        2048.
        Hash algorithm
        SHA-2.
        Root certificate
        Select the root certificate profile that you created and named in step 11.
        Extended key usage
        Select Client Authentication from the Predefined values menu.
        Renewal threshold
        20.
        SCEP server URLs
        Automatically generated URL.
      5. Select Next and assign any users or group that you want to test the connection with.
      6. Select Create.
      7. Select Next.
  14. Set the MDM scopes.
    Follow the instructions.
    1. In the Microsoft Endpoint Manager admin center, choose All services > M365 Azure Active Directory > Azure Active Directory > Mobility (MDM and MAM).
    2. Select Microsoft Intune to configure Intune.
    3. Select Some from the MDM user scope to use MDM auto-enrollment to manage enterprise data on your employees' Windows™ devices.
      MDM auto-enrollments are configured for AAD joined devices and bring your own device scenarios.
    4. Select Select groups > Selected groups/Users > Select as the assigned group.
    5. Select Some from the MAM Users scope to manage data on your workforce's devices.
    6. Choose Select groups > Select groups/Users > Select as the assigned group.
    7. Use the default values for the remaining configuration values.
    8. Select Save.
  15. Select Next.
  16. Test the configuration.
    Follow the instructions.
  17. Select Complete setup.
    1. Review your settings.
    2. Select Save changes.