This Post is waiting for a while until now, when I finally found time to publish it. We will fill the Gap when you add your Company Devices (Tablets) with a csv-File in your Intune Tenant as “Corporate device Identifiers”.
Some companies only allow, company added devices to the Intune Tenant, so a user can’t enroll his private device. In Intune you can disable regular Device Enrollment from users! If you pre-Import the CSV with the Identifiers (Serial or IMEI), you and the users will only be allowed to enroll those devices as Corporate Owned Devices. https://docs.microsoft.com/en-us/intune/corporate-identifiers-add
If you like to manage those devices in Azure AD with dynamic Groups, it can be difficult because not all attributes are synced from Intune to Azure AD. There is also the problem that you can’t rename the devices in Intune.
In this example scenario, I have a lot of Android Tablets to use as Kiosk Devices with multi app installation. To configure the Kiosk Profile, create Configuration Profiles and assigne some apps is not part of this Blogpost. But anyways, you can find the steps below so you can do it if you like:
- Create a “Corporate-owned dedicated devices” profile with a QR-code
- Create some “Device compliance – Policies”
- And also some “Device configuration – Profiles”
- Assign some Applications
- Maybe create a AAD-Group to assign all the above to specific Group
- Here we come to the point, when you like to use Dynamic Groups with the name tag of the device, that you import with the CSV-File, you have no name on that device! How to handle this, will be explained in this post.
With a Script, I and some Co-Worker (thank you; Athiraiyan Kugaseelan @AKugaseelan, Daniel Schaedler @SchaedlerDaniel) created, you can now fill this gap, since the naming of the device is not the same as you try to import with the CSV-File (in the CSV File you only have the chance to a separate column and give the device a name). However, this attribute is not synced automatically synched to AzureAD.
Here is how it works and what it does:
- Import a list of Devices as “Corporate-owned dedicated devices” with a CSV-File
- Enroll the Device
- Create an AAD Group and add the Device
- The script to put all together
1. Import a list of Devices as “Corporate-owned dedicated devices” with a CSV-File
In the Intune Blade to add “Corporate device identifiers” you have to add your devices from a list you create as a CSV File. You can add the devices by serial number or IMEI.
For Tablets, I prefer the serial number and for phones of course IMEI.
The following steps show you how to go on with the serial number:
First of all, we create an enrollment restriction for the users, which does not allow to enroll Android and Android for Kiosk Devices and assign it to all users or to a specific group of users.
Then we import the CSV File with the format of csv:
My example-CSV myExample.csv contains the number (serial or IMEI) and the device details:
In the upload CSV file we can choose to upload the number as serial or IMEI:
Note: In case you are to lazy to use CSV, you can use PowerShell as well 😉
https://github.com/microsoftgraph/powershell-intune-samples/tree/master/CorporateDeviceEnrollment
Now you can see your imported devices after clicking on the refresh button in your blade:
In the details column you can see your added name for the device, that name you would like to use in Azure AD with dynamic groups!
Here are the MS-Docs: https://docs.microsoft.com/en-us/intune/corporate-identifiers-add#identify-corporate-owned-devices-with-imei-or-serial-number
2. Enroll the Device
Now you can enroll the devices with a user called: afw#setup, that brings up the camera and let you scan the QR-Code from your Kiosk-Device Profile. As soon as the devices are enrolled, they are not really visible in AzureAD. Go to Intune -> Devices -> all Devices. The devices will show up with a wired name:
Unfortunately, you are not able to rename the device in the properties 🙁
However, the devices should be set as Corporate Owned Device. And you are able to see the serial number of the device. (the same as you have from the CSV-File). This is what we need, a matching number from the AAD-Device and Intune-Device!
The only match you can find on both sides, is the serial number:
Now, I would like to have the same name in the Intune/AzureAD as I uploaded in my CSV (as the details attribute). By design, it is not possible to rename the device, but there is another attribute, called “Management name”.
We came up with the script to read the serial number in the” Corporate device identifiers”-list and to look in the AAD for a device with the same serial number, to catch the details “name” and add the Management name of the AAD Object.
3. Create an AAD Group and add the Device
Afterwards, we have to create an Assigned AAD-Group, because the Management Name is not an attribute to use for dynamic groups, (this attribute is not synced from Intune to AAD).
We have to create the group with a script or manually before we add the device to the group. There we can also assign some apps/profiles or policies…
If you use RBAC, you can also add the scope tag to this group, and every client adds that tag.
4. The Script to put all together
If you like to use this script, just download it and add your name an crypted-password next to line 500. This is a function so script can be run automated in Azure Automation or in a scheduled task on a server, that the devices get as fast as possible the real name we like to have.
How to create the Password crypted?
(get-credential).password | ConvertFrom-SecureString | set-content “C:\source\password.txt”
How to Encrypt Passwords in PowerShell
Just open the password.txt and copy the string.
Be carefully, if you use the script in a scheduled task on a server, the PoSh command to create the password has to be run on that Server 😉
The script will load this modules:
Install-Module -Name Microsoft.Graph.Intune
– Find the Device
– Get the Serial number
– Get the Device ID
– Add the Device to the AAD Group
– Add the Management Name to the Device
There is a little gap in the Intune SDK Module and what we have to use to add the device to the Azrue AD Group, for this case we added some separate functions.
List of variables that you have to change:
- $LogFilePathFolder = “C:\Source”
- $adminUPN= “Mirko@colemberg.ch”
- $passWd= “***********”
- $AADGroup = “Android-Classroom1”
Click on the link below to get the script:
https://github.com/slaet/IntuneScripts/blob/master/Intune_AndroisIdentityaddtoAAD-group005.ps1
Here is the detailed description for the script:
# Login with the Script to your Tenant
$adminPwd= ConvertTo-SecureString -String $passWd -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential ($AdminUPN, $adminPwd)
Write-Log "Establishing connection"
$connection = Connect-MSGraph -PSCredential $creds
$global:authToken = Get-AuthToken -User $adminUPN
Write-Log "Getting all corporate identifiers"
#getting corp identifiers
$corpDevices = Get-CorporateDeviceIdentifiers
Write-Log "Getting all enrolled devices"
#getting enrolled devices
$enrolledDevices = Get-IntuneManagedDevice
# create the AAD Group for Assigenment, if it's not exists
$AADGroup = "Android-Classroom1"
$GroupId = (Get-AADDeviceGroup -GroupName $AADGroup).id
if($GroupId -eq $null -or $GroupId -eq ""){
$newGroup = New-AADGroup -displayName $AADGroup -securityEnabled:$true -mailEnabled:$false -mailNickname $AADGroup
$GroupId = $newGroup.id
#Write-Host "AAD Group - '$AADGroup' doesn't exist, please specify a valid AAD Group..." -ForegroundColor Red
#Write-Host
}
# loop every device that is in Corp-identifyers and new enrolled in Intune
foreach($corpDevice in $corpDevices)
{
# go for the Serial number
if($corpDevice.importedDeviceIdentityType -eq "serialNumber")
{
if($enrolledDevices.serialNumber -contains $corpDevice.importedDeviceIdentifier)
{
$deviceToUpdate = Get-IntuneManagedDevice -Filter "SerialNumber eq '$($corpDevice.importedDeviceIdentifier)'"
if($deviceToUpdate -ne $NULL)
{
Write-Log "Modifying device with serialnumber '$($corpDevice.importedDeviceIdentifier)'"
# change the Management name Attribute
Update-DeviceManagement_ManagedDevices -managedDeviceId $deviceToUpdate.id -managedDeviceName $corpDevice.description
#get the right aad-group id and add the device to the aad-group
$AADDevice = Get-AADDeviceDevice -DeviceID $deviceToUpdate.id
Add-AADDeviceGroupMember -GroupId $GroupId -AADMemberID $AADDevice.id
}
}
}
if($corpDevice.importedDeviceIdentityType -eq "imei")
{
# go for the IMEl number
$enrolledDevices.imei -contains $corpDevice.importedDeviceIdentifier
$deviceToUpdate = Get-IntuneManagedDevice -Filter "imei eq '$($corpDevice.importedDeviceIdentifier)'"
if($deviceToUpdate -ne $NULL)
{
Write-Log "Modifying device with serialnumber '$($corpDevice.importedDeviceIdentifier)'"
# change the Management name Attribute
Update-DeviceManagement_ManagedDevices -managedDeviceId $deviceToUpdate.id -managedDeviceName $corpDevice.description
#get the right aad-group id and add the device to the aad-group
$AADDevice = Get-AADDeviceDevice -DeviceID $deviceToUpdate.id
Add-AADDeviceGroupMember -GroupId $GroupId -AADMemberID $AADDevice.id
}
}
}More Infomation:
As a fact, this works as well without renaming the Android Device Name. Therefore, you can easily use this: https://github.com/microsoftgraph/powershell-intune-samples/tree/master/ManagedDevices
https://github.com/microsoft/Intune-PowerShell-SDK
Please test this before you run it in production. You should be careful since this script creates aad-groups and changes device attributes.
I hope this helps and saves you some time to have a beer….
Leave a Reply