Share via

Windows device category and company portal

Romain PHILIPPE 6 Reputation points
2020-08-20T13:33:13.637+00:00

Hello,

I am new to intune.

I have 2 questions that I think are tied together to something I'm missing or didn't find good documentation on.

Little background : I work for a company with offices and IT teams split between several locations.

All offices use the same Azure tenant. Somes offices are using on-prem AD synched with the tenant by adconnect, others are using fully Azure AD identity management.

We plan to join the windows device of all offices into azure ad and manage them using intune (MEM ?). Using that have AD on-prem will join devices as hybrid by GPO, others will use provisioning packages.

We also want to be able to give each office RBAC to enable them to see and manage only their devices and policies.

I've followed MS docs to manage RBACS with scope tags and it's working fine, but for now when I (or anyone else) enroll a new windows device, the device get only the default scope tag. How can I apply differents scope tags based on which users enroll devices ? Is there any other ways to do it ?

Which leads me to my second question : windows company portal store app

  • What is it needed for, exactly ?
  • Can I have the company portal store app apply the scope tag automaticaly depending on which user is logged ?
  • How does that work with hybrid-join // provisioning package ?

Thanks for reading

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
704 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,274 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Dominique Pollard 46 Reputation points
    2020-08-23T18:13:14.83+00:00

    The default scope tag is automatically added to all untagged objects that support scope tags.

    https://learn.microsoft.com/en-us/mem/intune/fundamentals/scope-tags

    The company portal helps users manage their device and apps, as the administrator you can manage the company portal

    https://learn.microsoft.com/en-us/mem/intune/user-help/using-the-intune-company-portal-website

    This will go in detail about using the ICD tool to create provision packages for AAD join.

    https://learn.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-packages

    You will need to check your role assignment and subscription service to perform some of these actions.

    1 person found this answer helpful.
    0 comments
  2. Romain PHILIPPE 6 Reputation points
    2020-08-24T08:47:44.36+00:00

    Thank you for your answer but I already read these docs and didn't find what I was looking for.

    The default scope tag is applied yes but what I'm looking for is how to add custom tag.

    I see that we can have these custom tags applied by a security group. And the security group membership can be conditioned to the "device category" selected by the user in the company portal app or web app.

    But can we skip that manual selection and apply it automatically when one specific user join a device ? Maybe via a PS script ? it seems really weird not to have this built in tbh.

    Also company portal app : if I understand things correctly, when joining a device to intune using the windows 10 parameters app, we don't need the company portal to deploy app as required, or config profiles / compliance policy.

    The company portal app would be needed only to access "available" apps ... or set the device category. Is that correct ?

    1 person found this answer helpful.
    0 comments
  3. VipulSparsh-MSFT 16,251 Reputation points Microsoft Employee
    2020-08-26T04:21:01.91+00:00

    @Romain PHILIPPE You can try using Graph API with respect to automating it : https://learn.microsoft.com/en-us/graph/api/resources/intune-rbac-rolescopetag?view=graph-rest-beta more documentation is yet to be released around this.

    Is there a bulk scope tag assignment scenario, if yes, please vote this idea in Intune user voice to get this feature soon : https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/36033307-assign-scope-tag-for-bulk-of-devices

    For company portal part, yes your understanding is correct, you do not need CP app for enrollment specifically as Windows already has a default MDM client which is used for enrollment.
    So a CP app in windows will help you more towards the kind of apps which have been deployed to that user , number of devices enrolled with that user and CP abilities to remove them by end user.

    -----------------------------------------------------------------------------------------------------------------

    If the suggested response helped you resolve your issue, do click on "Mark as Answer" and "Up-Vote" for the answer that helped you for benefit of the community.