Skip to main content
Matrix42 Self-Service Help Center

Microsoft Intune Integration

  1. Last updated
  2. Save as PDF

Overview

Microsoft Intune is a device management solution that uses the Modern Management Layer (MDM) to apply policies, restrictions, or deploy applications to devices. It is tightly integrated with Microsoft Azure and requires a separate license.

The integration requires a valid license certificate "Matrix42 AG - DWP - M42IntuneDataProvider" which is not part of UEM23 license.

Integration with Matrix42 UUX for UEM provides the ability to manage devices connected to multiple device management solutions from a single console based on the common user experience used by all Matrix42 products.

General users do not need to use the dedicated consoles such as Endpoint Manager (Intune), Silverback or Empirum Console (EMC). Only experts need these consoles - standard rollouts and troubleshooting are performed in the Matrix42 UEM console and Matrix42 Service Desk.

Even though Intune can be used as a software deployment tool, we recommend that you consider a co-managed approach with Empirum. The combination of modern management and classic agent-based management has many advantages, such as:

  • Intune is used for policies and Matrix42 UEM Agent for software packages
  • Option for a local depot infrastructure
  • Easier installation order and dependency handling
  • Rollout progress is better observable and predictable
  • Easier troubleshooting based on instantly available logs
  • Reinstallation of software packages possible
  • User part of installations
  • Variables for machine and user
     

Requirements

  • Installed and configured Matrix42 Digital Workspace Management
  • Installed and configured UUX for UEM 23.0.3 or newer. Intune App assignment requires UUX for UEM 24.0.1 or newer.
    • The Extension has a prerequisite to Intune Integration Core which is automatically installed
  • Intune device visibility and management requires the Intune Inventory Data Provider and the Enterprise Management Platform license.
  • Intune Assignments require the  Microsoft Entra ID / Microsoft 365 data provider..

Installation

  1. Install the the Intune Extensions 
    1. The required Intune Integration Extension is in the Matrix42 Extension Gallery.
    2. In the UUX go to the Administration -> Extension Gallery and log on with an Matrix42 Account.
    3. Select the Intune Integration Extension and install. 
  2. Follow the steps in the dedicated online documentation. The Intune Integration data provider extension imports devices.
    1. Add a schedule to the "Intune Integration - Data Import" Engine Activation in Services & Processes to update the devices regularly.
  3. Configure the "Intune Import for UEM" data provider. Use the same Tenant and Service in the Service Connection. The data provider is part of the UEM extension.
  4. The device actions require additional App privileges as described in the installation guide.
  5. Configure the "Microsoft Entra ID / Microsoft 365" data provider using the same Entra tenant as described in the documentation. For UEM Assignments only user import is required.

Configuration

Intune Import for UEM Data Provider

This feature is in preview state. It can be used for testing and evaluation but not production. Feedback is welcome can be provided to beta_UEM@matrix42.com

The Intune Import for UEM  data provider installed with the UEM Extension (24.0.1 or newer) collects all Apps from Intune and provides them with the object type "Intune App" and management type "Modern" in the software library.  The configured Service Connection is also used for managing the Entra groups and App assignments when assigning devices to apps.

The data provider needs to be configured to use a service connection to Microsoft 365 (Intune):

  • The general setup of the required Intune app registriation  is described in the Intune Inventory Data Provider documentation which is used to import computer objects.
  • The Intune Import for UEM  data provider requires an additional service connection with the service "Intune UEM" which provides additional scopes as they are requied to manage groups in Entra.

To select the service connection go to Administration - Integration - Data Providers - Intune Import for UEM and add a configuration. Select the previously configured service connection and save. After activation the data provider workflow will use the MS Graph API to restive the Intune Apps and imports/update or remove them in the UEM Objects Library.

The schedule of the App import is defined in the Engine Activations "UEMIntuneAppImportActivation" and runs by default every 60 minutes.

Features

Display of devices imported from Intune

Imported devices are displayed in the UEM App in addition to the Asset Apps of the UUX. Users can view device details, search and filter in the Endpoint Devices navigation.

clipboard_e95c7c50fc543ddf04a4909efaf560a5d.png

Device Actions for Intune devices

To allow users easy troubleshooting on endpoints which are managed by Intune several device actions are provided. this actions are also visible in the service desk application. 

Device Action Android iOS / iPadOS Windows macOS
Refresh Yes Yes Yes Yes
Wipe Yes Yes Yes Yes
Autopilot Reset No No Yes No
Restart No No Yes Yes

Actions require the user to be part of the privileged user role: 

Device Action User role
Refresh UEM Device Admin or UEM Device User user roles
Wipe UEM Device Admin user role
Autopilot Reset UEM Device Admin user role
Restart UEM Device Admin or UEM Device User user roles

Action State

Intune managed devices with an active  status show the current status of actions in the preview. This is live request to Intune when the tab is selected.

clipboard_e9067d2a71929b5bd8007be29873f75bd.png

Management system set to "Modern" or Co-Managed" for Intune devices

  • Management System is the name of the management layer used by device management. This was introduced by UEM.
    • Classic - Empirum Agent based.
    • Modern - Silverback or Intune via MDM.
    • Co-Managemed - Devices are managed classic and with the modern management layer.

Intune App Import

Intune Apps can be imported and assigned in UEM assignments to deploy apps to Intune or co-managed managed devices.

The imported Apps are shown in the navigation Software Distribution - Software Packages. The Object Type is set to "Intune App" which can be used for filtering in the lists.

The preview of the Apps shows basic information like name, version, description and App Type. In addition the supported platform is displayed.

clipboard_e083b68c9c8157d7a8445ff2c667bfd4d.png

Assignment of Intune Apps

The assignment of Intune Apps allows the rollout of apps to devices managed by Intune or co-managed with Empirum. When creating a new assignment and adding software packages with the object type "Intune-App" the assignment will be set to connect to Intune when set to active with Intune devices added.

We suggest to use dedicated assignments for Intune Apps and Empirum Apps as the progress and rollout plan calculation picks the devices in a given order and not based on deployment system.

In general all assignments are based on Entra groups which will contain the devices and are added to the App properties assignment properties. The groups use the naming schema "MX42-ASSIGNMENTNAME-ASSIGNMENTTYPE". App

The following assignment types are supported based on the distribution command selected:

Group Assignment in Intune Entra Group Name UEM Distribution Command UEM Packages are Optional
Required MX42-ASSIGNMENTNAME-Install Install/Update or Install No
Available for enrolled devices (not yet supported) MX42-ASSIGNMENTNAME-Optional Install/Update or Install Yes
Uninstall MX42-ASSIGMENTNAME-Uninstall Uninstall No
  • When an assignment is created the groups based on the name schema are created and devices are added.
  • Devices are added when an assignment is created or changed independent of the Active/Inactive state.
  • The groups are added to the Intune apps contained in the assignment when the assignment is set to active. The name changed based on the Install or Uninstall mode of the assignment.
  • The status of the rollout is calculated based on the installation state which is updated every 60 minutes or when an assignment is changed.

Uninatall assignments are only supported for Windows apps.

Installation Status

The installation state is retrieved by an integrated engine which collects the information from Intune every 60 minutes or when an assignment is changed for the contained app.

App installation states can be reviewed in UEM - Deployments.

Not all states and results  possible in Intune are available in UEM. The relevant information for the rollout process is the installation state (Installed, Not installed). Not covered states or results are shown as Unknown.

Rollout Plan

The rollout plan allows to use automated wave rollouts of Intune Apps to devices. The devices are added based on the plan to the related EntraID group. As not all status information is provided via the API from Intune the error threshold might not incorporate all failure scenarios in Intune.

Current Limitations

  • Devices imported by the Intune data provider do not show the last seen date in the Endpoint Devices list.
  • Only one service connection (tenant) for Intune is supported.
  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    How-To
    Stage
    Review
    Target Group
    Customer
  2. Tags
    This page has no tags.