MDM Integration: Microsoft Intune

Imprivata Mobile Access Management has deep integration with Microsoft Intune. The instructions below describe how to set up Mobile Access Management to use Microsoft Graph APIs. Optionally, you may add an Enrollment Profile for touch-free enrollments of non-DEP devices.

To configure the Imprivata Locker Android app with Intune's Managed Home Screen, see this article.

API Integration

Microsoft API Integration is recommended for both DEP and non-DEP enrollments. API integration adds additional features to customize your workflows, including device delete, device sync, clear passcode, and lost mode.

There is a one-time process to allow Mobile Access Management access to your Intune tenant. First, your Azure administrator must create a new App Registration within Azure. Then your Mobile Access Management administrator will add the Azure OAuth credentials to Mobile Access Management.

Azure Setup

1. Log into your Azure tenant at portal.azure.com.

2. Search for the service App registrations.

   

3. Create a new registration.

   

4. Name the application “MAM API Access” or something similar.

   

5. Choose the most limited account type.

   

6. Leave the Redirect URI blank.

7. Click OK to create the application.

8. In the vertical navigation bar, select API permissions.

   

9. Select the Microsoft Graph API.

   

10. Select Application permissions.

    

11. Add permissions for:

    • DeviceManagementManagedDevices.PrivilegedOperation.All

    • DeviceManagementManagedDevices.ReadWrite.All

    • DeviceManagementConfiguration.Read.All

    • DeviceManagementConfiguration.ReadWrite.All

    • DeviceManagementServiceConfig.Read.All

    • DeviceManagementServiceConfig.ReadWrite.All

    • Device.Read.All,

    • Device.ReadWrite.All,

    • Directory.Read.All,

    • Directory.ReadWrite.All

    • If your environment utilizes Azure shared iOS devices, add User.Read as a Delegated Permisssion for authenticating to Microsoft apps. For more information, see Authenticate to Microsoft Apps on iOS devices with Mobile Access Management.

      
      

12. Click Add Permissions.

13. Grant permissions to the newly-created application. At the top of the permission list is an action Grant admin consent for <company name>.

    

14. Consent to allow the application to access your Intune managed devices.

15. In the vertical navigation bar, click Overview.

16. Copy both the Application (client) ID and the Directory (tenant) IDs to a safe place. You will use these in the MAM Admin console.

    

17. In the vertical navigation bar, click Clients & Secrets.

18. Click New client secret.

19. Name the new secret with a useful description.

20. Select the expiration for the client secret. You may choose any value, but if it expires you must regenerate a new secret and load it into Mobile Access Management.

21. Add the new secret, copy the value, not the ID, and store it in a safe place. You will the client secret value in the MAM Admin console.

22. You may now close Azure.

Mobile Access Management Setup

1. In the MAM Admin console, navigate to Admin > MDMs.

2. To add a new MDM, click Add and select Intune.

3. Type a descriptive name in the MDM Name box.

   Skip the enrollment profile. Enable API Integration.

   Click to enlarge

   

4. Enter your Client ID, Client Secret, and Tenant ID.

   Click to enlarge

   

5. Click Test to see a successful connection.