Cloud-first Device Management for Education with Microsoft Intune

By Reinier Spruijt

Tablet Academy (TA) is known for its consultancy and training services delivered to over 50,000 educators worldwide every year. While many of those services are geared towards supporting classroom professionals, we also help those who work behind the scenes to support learners beyond the classroom and in roles such as IT Support, who set up and support IT systems within educational establishments.     

This past year, TA worked with many UK schools and multi-academy trusts to upskill their staff in managing devices via Microsoft Intune. Many of those organisations were using on-premises systems to manage their devices. In some cases, the IT professionals we worked with had also started configuring Intune for device and app management but were now looking for best practices to onboard a sizeable proportion, or in some cases, all of their Windows 10/11 devices. Those devices were a mixture of either 1:1 student and staff devices or shared devices such as those found in classrooms, computer labs, communal spaces, and laptop trolleys.  

Licensing  

In most cases, managing devices through Microsoft Intune did not cost the institutions more than they had already invested in infrastructure or licensing. The subscription of choice for most education institutions we work with is the Microsoft 365 A3 subscription, which includes all the basic pre-requisites such as:   

Entra ID Premium P1 (formerly Azure Active Directory Premium P1) is needed for automatic device enrolment,   

Microsoft Intune Plan 1 to allow access to Intune managed devices and Windows A3 with education-specific operating system features such as the federated simple sign-in for Windows devices and various security features all bundled in. As a bonus, for each Microsoft 365 A3 for Faculty subscription purchased through either the Enrolment for Education Solutions (EES) or Cloud Solution Providers (CSP) academic programs, those institutions are entitled to 40 complimentary "student use benefit" subscriptions, which in most cases covers the entire student population in the institution.  

Bulk Enrolment  

When setting up your Microsoft 365 tenant for Intune device management, the first consideration after acquiring trial or paid licenses is how to enrol those devices. Once Entra and Intune are configured to allow for automatic device enrolment, the choices boil down to two options for bulk enrolment of Windows devices: (a) using a highly customisable provisioning package or (b) leveraging the Windows Autopilot device directory service. Either method effectively provides an answer file to take the device through the standard out-of-the-box experience (OOBE) when you first turn a device on, join the device to Entra ID, and enrol the device to Intune.  

If you want to use method (a) a provisioning package, you can create one using either the Set up School PCs app or the Windows Configuration Designer (WCD) app, both of which are available for admins to download from the Microsoft Store for Windows. The WCD method affords the most control over the enrolment process and is often the best option for administrators who want to guarantee the devices are ready from the get-go.  

To use method (b), the Windows Autopilot enrolment method, you or your hardware vendor must register those devices with the central Windows Autopilot service and assign a deployment profile. That deployment profile can be either (i) user-driven, to enrol a device with a specific persona in mind, e.g. Year 8 student, or (ii) self-deploying (formerly known as "white glove"), which is used for kiosk, digital signage, or shared devices.  

When deciding which enrolment method to use when deploying devices, it is important to consider personas and scenarios. The typical scenarios I usually start with are 1:1 staff devices, 1:1 student devices, shared staff devices, and shared student devices. Each of those collections of devices will benefit from having its own Entra ID security groups, which can be used later to assign settings, apps, and updates to the devices in question.  

Identities  

While considering enrollment options, questions will arise regarding provisioning identities and whether those user accounts need continued access to on-premises resources, e.g., a shared network drive. If those accounts need access to on-premises, it is best to work with hybrid identities synchronised to Entra ID. That does not necessarily mean the devices need to be hybrid joined to Entra or that the devices need to be co-managed with Configuration Manager connected to Intune. The most straightforward combined configuration is to have cloud-only identities provisioned in Entra ID signing into devices joined to Entra for single sign-on to Microsoft 365- and third-party Software as a Service (SaaS) apps for those devices to be managed via Intune for configuration and app deployment.  

Ongoing Management  

Once you have considered the options for provisioning your identities and enrolling your devices, you will want to think about three key parts to the ongoing management of the devices, in no particular order: 

1. Operating system configuration through configuration profiles, which for Windows can often be mapped to existing Group Policy Object settings. 

1. Firmware, driver, and operating system updates. 

1. Application management and updates to ensure security and compliance. 

These can be managed directly from a "single pane of glass" in Intune for devices running Windows, macOS, iOS/iPadOS, and Android and additional limited support for specific Linux distributions and ChromeOS.  

Operating System Configuration  

When configuring the operating system, consider which settings and scripts are deployed to existing machines and whether to "lift and shift" those to Intune. Microsoft has made it relatively simple to transition from on-premises Group Policy Objects (GPO) by allowing an admin to import each GPO's gpresult.xml into Intune and allowing the tool to map those configuration options that can be translated from the Client Side Extensions (CSE) model to the Configuration Service Provider (CSP) model used by modern device management (MDM) solutions, including Intune. Those mapped settings can, in turn, be reviewed and selectively deployed to Intune-managed devices and user groups as Settings Catalog-type configuration profiles.   

Updates  

Your approach to managing updates depends partly on your infrastructure, but deploying Windows Update for Business policies to your machines through Intune is very straightforward. You should consider giving some level of control to staff and students using 1:1 devices while fully automating the update processes for shared devices.  

App Management  

Regarding Windows app management, this is best covered in another blog post. In summary, for now, it is relatively easy to deploy shortcuts for web apps, such as a link to your school's cloud-based management information system (MIS) for staff, or to use the apps in the Microsoft Store for Windows. For more custom deployments, consider using the Win32 Content Prep Tool to package your apps for deployment through Intune.  

TA delivers training on all the above and more. If you are interested in exploring this further, then I encourage you to get in touch by emailing info@ta.education where we will put you in contact with the most appropriate consultant to discuss options for both free and funded support with you.