MDM Integration: Microsoft Intune

Imprivata Mobile Access Management has a deep integration with Microsoft Intune. The instructions below describe how to set up Mobile Access Management to use Microsoft Graph APIs. Optionally, you may add an Enrollment Profile for touch-free enrollments of non-DEP devices.

To configure the Imprivata Locker Android app with Intune's Managed Home Screen, see Configure Locker Android App and Microsoft Intune Managed Home Screen.

API Integration

Microsoft API Integration is recommended for both DEP and non-DEP enrollments. API integration adds additional features to customize your workflows, including device delete, device sync, clear passcode, and lost mode.

There is a one-time process to allow Mobile Access Management access to your Intune tenant. First, your Azure administrator must create a new App Registration within Azure. Then your Mobile Access Management administrator will add the Azure OAuth credentials to Mobile Access Management.

Determine the Permissions Model for the Authentication Method

Depending on your organization's needs, you can use one of the following permissions models as the authentication method for MAM.

  • Application permissions - Imprivata Locker runs in the background without a signed-in user. See Option 1: Application Permissions.

  • Resource Owner permissions - the authentication method for delegated permissions.

    The resource owner authorizes Imprivata Locker to access the resource on its behalf. See Option 2: Resource Owner Permissions. Supported in MAM 7.2 and later.

Step 1: Microsoft Azure Setup

NOTE:

Configuration steps in Microsoft Azure and Microsoft Intune are provided to help guide you through the setup with MAM. Microsoft may change their interfaces at any time.

Always consult your Microsoft documentation for the latest admin console updates and paths to settings.

  1. Log into your Microsoft Azure tenant at portal.azure.com.

  2. Search for the service App registrations.

    Click to enlarge

  3. Click + New registration to add a new registration. Name the application "MAM API Access" or something similar.

  4. Choose Accounts in this organization directory only from the list of supported account types.

    Click to enlarge

  5. Leave the Redirect URI blank.

  6. Click OK to create the application.

    After registering a new application, you can find the Application (client) ID and Directory (tenant) ID from the overview menu option.

    Copy both the Application (client) ID and the Directory (tenant) IDs to a safe place. You will use these in the MAM Admin console in a later step.

    Click to enlarge

  7. In the vertical navigation bar, select API permissions.

    Click to enlarge

  8. Select the Microsoft Graph API.

    Click to enlarge

To use Application permissions:

  1. Select Application permissions.

    Click to enlarge

  2. Add permissions for:

    • Device.ReadWrite.All,

    • DeviceManagementManagedDevices.PrivilegedOperation.All

    • DeviceManagementManagedDevices.ReadWrite.All

    • DeviceManagementServiceConfig.ReadWrite.All

    • GroupMember.ReadWrite.All

    • If your environment utilizes Azure shared iOS devices, add User.Read as a Delegated Permission for authenticating to Microsoft apps. For more information, see Authenticate to Microsoft Apps on iOS devices with Mobile Access Management.

      Click to enlarge


  3. Click Add Permissions.

  4. Grant permissions to the newly-created application. At the top of the permission list is an action Grant admin consent for <company name>.

    Click to enlarge

  5. Consent to allow the application to access your Intune managed devices.

  6. In the vertical navigation bar, click Clients & Secrets.

  7. Click New client secret.

  8. Name the new secret with a meaningful description.

  9. Select the expiration for the client secret. You may choose any value, but if it expires you must regenerate a new secret and load it into Mobile Access Management.

  10. Add the new secret, copy the value, not the ID, and store it in a safe place. You will add the client secret value in the MAM Admin console in a later step.

  11. You may now close Azure.

Requirements

Using Resource Owner permissions requires the following items to be created and configured in Azure. For more information, see your Microsoft Azure and Microsoft Intune admin consoles documentation.

  • Create a custom role assignment for the Policy and Profile Manager role.

  • Assign the custom role to a user.

    Take note of this user and its password. You will add the value in the MAM console in a later step.

  • Use scope tags to ensure that your Intune admins have the correct access and visibility to the Imprivata Locker app.

    • The scope tag must be added to your token name in Enrollment program tokens (Devices | Enrollment > Enrollment program tokens).

    • Add the scope tag to the policies and profiles that you want admins to have access to.

Configure Resource Owner Permissions

To configure Resource Owner permissions:

  1. In Azure, navigate to the MAM API Access application, navigate to the Manage > Authentication menu.

    In the Settings section, switch the Allow public client flows setting to Enabled.

    Click to enlarge

  2. Select Delegated permissions.

  3. Add permissions for:

    • Device.Read.All

    • DeviceManagementConfiguration.ReadWrite.All

    • DeviceManagementManagedDevices.PrivilegedOperations.All

    • DeviceManagementManagedDevices.ReadWrite.All

    • DeviceManagementServiceConfig.ReadWrite.All

    • Group.Read.All

    • GroupMember.ReadWrite.All

    • User.Read

      Click to enlarge

  4. Click Add Permissions.

  5. Grant permissions to the newly-created application. At the top of the permission list is an action Grant admin consent for <company name>.

  6. Consent to allow the application to access your Intune managed devices.

  7. Navigate to the Enterprise Application list select newly created app and add the Resource Owner account to the Users list.

Step 2: Mobile Access Management Setup

  1. In the MAM Admin console, navigate to Admin > MDMs.

  2. To add a new MDM, click Add and select Intune.

  3. Type a descriptive name in the MDM Name box.

    Click to enlarge

  4. Skip the enrollment profile.

  5. Switch API Integration to ON and click Configure.

  6. In the Microsoft Intune API dialog, configure the following information:

    1. In the Use delegated permissions, select one of the options as the authentication method: Application or Resource Owner.

    2. In the Client ID box, type the Client ID of your Azure environment. In Azure, this value is named Application (client) ID; you saved this value in an earlier step.

      1. If Application is your authentication method for delegated permissions, in the Client Secret box, type the client secret you saved earlier.

      2. If Resource Owner is your authentication method for delegated permissions, type the Resource Owner Username and Resource Owner Password.

    3. In the Tenant ID box, type the tenant ID of your Azure environment. In Azure, this value is named Directory (tenant) ID; you saved this value in an earlier step.

      Click to enlarge

  7. Click Test to verify connectivity.