MDM Integration: Microsoft Intune

Imprivata Mobile Access Management has a deep integration with Microsoft Intune. The instructions below describe how to set up Mobile Access Management to use Microsoft Graph APIs. Optionally, you may add an Enrollment Profile for touch-free enrollments of non-DEP devices.

To configure the Imprivata Locker Android app with Intune's Managed Home Screen, see Configure Locker Android App and Microsoft Intune Managed Home Screen.

API Integration

Microsoft API Integration is recommended for both DEP and non-DEP enrollments. API integration adds additional features to customize your workflows, including device delete, device sync, clear passcode, and lost mode.

There is a one-time process to allow Mobile Access Management access to your Intune tenant. First, your Azure administrator must create a new App Registration within Azure. Then your Mobile Access Management administrator will add the Azure OAuth credentials to Mobile Access Management.

Determine the Permissions Model for the Authentication Method

Depending on your environment's needs, you can use one of the following permissions models as the authentication method for MAM.

  • Application permissions - Imprivata Locker runs in the background without a signed-in user. See Option 1: Application Permissions.

  • Resource Owner permissions - the authentication method for delegated permissions. The resource owner authorizes Imprivata Locker to access the resource on its behalf. Supported in MAM 7.2 UAT and later. See Option 2: Resource Owner Permissions.

Step 1: Microsoft Azure Setup

  1. Log into your Microsoft Azure tenant at portal.azure.com.

  2. Search for the service App registrations.

  3. Create a new registration.

  4. Name the application "MAM API Access" or something similar.

  5. Choose Accounts in this organization directory only from the list of supported account types.

  6. Leave the Redirect URI blank.

  7. Click OK to create the application. The application is created.

    After registering a new application, you can find the application (client) ID and Directory (tenant) ID from the overview menu option.

    Copy both the Application (client) ID and the Directory (tenant) IDs to a safe place. You will use these in the MAM Admin console in a later step.

  8. In the vertical navigation bar, select API permissions.

  9. Select the Microsoft Graph API.

To use Application permissions:

  1. Select Application permissions.

  2. Add permissions for:

    • Device.ReadWrite.All,

    • DeviceManagementManagedDevices.PrivilegedOperation.All

    • DeviceManagementManagedDevices.ReadWrite.All

    • DeviceManagementConfiguration.Read.All

    • DeviceManagementConfiguration.ReadWrite.All

    • DeviceManagementServiceConfig.ReadWrite.All

    • GroupMember.ReadWrite.All

    • Directory.Read.All,

    • Directory.ReadWrite.All

    • If your environment utilizes Azure shared iOS devices, add User.Read as a Delegated Permisssion for authenticating to Microsoft apps. For more information, see Authenticate to Microsoft Apps on iOS devices with Mobile Access Management.


  3. Click Add Permissions.

  4. Grant permissions to the newly-created application. At the top of the permission list is an action Grant admin consent for <company name>.

  5. Consent to allow the application to access your Intune managed devices.

  6. In the vertical navigation bar, click Clients & Secrets.

  7. Click New client secret.

  8. Name the new secret with a meaningful description.

  9. Select the expiration for the client secret. You may choose any value, but if it expires you must regenerate a new secret and load it into Mobile Access Management.

  10. Add the new secret, copy the value, not the ID, and store it in a safe place. You will add the client secret value in the MAM Admin console in a later step.

  11. You may now close Azure.

Requirements

Using Resource Owner permissions requires the following items to be created and configured in the Microsoft Intune admin center. For more information, see your Microsoft Intune admin console documentation.

  • Create a custom role assignment for the Policy and Profile Manager role.

  • Assign the custom role to a user.

    Take note of this user and its password. You will add the value in the MAM console in a later step.

  • Use scope tags to ensure that your Intune admins have the correct access and visibility to the Imprivata Locker app.

    Add the scope tag to the policies and profiles that you want admins to have access to.

Configure Resource Owner Permissions

To configure Resource Owner permissions:

  1. In the Microsoft Intune admin center, navigate to the MAM API Access application, click the Authentication menu. In the Advanced settings section, switch the Allow public client flows setting to Yes.

Step 2: Mobile Access Management Setup

  1. In the MAM Admin console, navigate to Admin > MDMs.

  2. To add a new MDM, click Add and select Intune.

  3. Type a descriptive name in the MDM Name box.

    Click to enlarge

  4. Skip the enrollment profile.

  5. Switch API Integration to ON and click Configure.

  6. In the Microsoft Intune API dialog, configure the following information:

    1. In the Use delegated permissions, select one of the options as the authentication method: Application or Resource Owner.

    2. In the Client ID box, type the Client ID of your Intune environment.

    3. If you selected Application as the authentication method for delegated permissions, in the Client Secret box, type the client secret you saved earlier.

    4. If you selected Resource Owner as the authentication method for delegated permissions, type the Resource Owner Username and Resource Owner Password.

    5. In the Tenant ID box, type the tenant ID you saved earlier.

      Click to enlarge

  7. Click Test to verify connectivity.