ACMP Intune Connector

160

Microsoft Intune is a cloud-based solution that helps you manage your mobile devices. It allows you to remotely manage devices, secure access or even lock them down. With the ACMP Intune Connector, you can inventory the devices from Intune in ACMP and send the most important actions to the devices from ACMP.

8

9

= **Requirements for using the ACMP Intune Connector** =

10

11

To use the ACMP Intune Connector, the following requirements must be met:

12

13

* You need a user account with the appropriate permissions for Microsoft Entra ID

14

15

16

Refer to the [[//Registering an enterprise application in Microsoft Entra ID//>>doc:ACMP.68.Unternehmensanwendung registrieren in der Microsoft Entra ID.WebHome]] section for information on how to register an app and distribute the necessary permissions.

17

18

19

* There must be a connection between AESB and ACMP. AESB must be available for this and the necessary details of the [[SICS connection>>doc:||anchor="H1.ACMPconsole:CheckSICSconnectioninACMP"]] must be stored in ACMP

20

* AESB must be at least version 1.8

21

* You need a working internet connection, as Intune is a cloud solution and requires a network connection to work.

22

* A running instance of Intune

23

24

= Prepare for Microsoft Entra ID and distribute permissions =

25

26

In order for the ACMP Intune Connector to access the Intune API, you must first register a company application in the Microsoft Entra Admin Centre and grant the necessary permissions within these applications (see [[//Registering a company application in Microsoft Entra ID//>>url:https://doc.aagon.com/bin/view/ACMP/68/Unternehmensanwendung%20registrieren%20in%20der%20Microsoft%20Entra%20ID/]]).

27

28

= Configuration in AESB and ACMP =

29

30

Before you can use Intune in ACMP, you need to do some preliminary work in the ACMP and AESB consoles.

31

32

== 1. **ACMP console: Check SICS connection in ACMP** ==

33

34

It is necessary that you have a working SICS connection in ACMP. To do this, go to //System// > //Settings// > //ACMP Server// > //SICS Connection//. First tick the box to enable the connection. Then enter the host and port, as well as the user name and password for the operator. You specified the corresponding operator during the installation of the AESB, which you must also specify here. Specify whether to attempt an unencrypted connection if SSL/TLS fails. Then test the connection.

35

36

Also tick the Public API access rights box to grant access. You can now save your settings. ACMP and SICS are now connected to each other.

37

38

39

[[image:65_Intune_SICS-Verbindung_575.png||alt="65_ACMP_Einstellungen_SICS Verbindung.png" data-xwiki-image-style-alignment="center"]]

40

41

42

Set up SICS connection in ACMP

== 2. AESB console: **Install and configure the Intune Connector** ==

47

48

Now go to the AESB console. From the Dashboard, navigate to the //Products// menu item. In the overview you will find a list of all packages available for installation or updates. Select //ACMP Intune Adapter// and click //Install// either in the quick selection bar or directly in the fields. A new window will open and the installation will begin.

49

50

51

[[image:65_AESB_Übersicht des ACMP Intune Adapters in der AESB Console.png||data-xwiki-image-style-alignment="center"]]

52

53

54

Overview of the ACMP Intune Adapter in the AESB Console

The first step tells you what you need to have already done to successfully install the Intune Adapter: You need a configured and working Microsoft Intune instance and a working ACMP SICS connection. In the second step of the installation wizard, you have the option to assign a template name at the top of the pages.

59

60

Under //Intune Connector Configuration//, you can set basic settings for the Intune Connector. Under ACMP Server ID, you need to specify the server to which the changes will be sent. If you enter an asterisk, the changes will be sent to all ACMP servers that have a SICS connection and whose connection information is identical to the information you entered in step //[[1. ACMP console: Check SICS connection in ACMP>>doc:||anchor="H1.ACMPconsole:CheckSICSconnectioninACMP"]]//. You can also specify the name of the workflow instance under which the settings are to be sent. You can do this under //Ondemand definition name//.

61

62

In the //Intune Configuration// menu item, you can now use one of the two login methods: the secret client key or a certificate.

63

64

=== Option 1: Certificate authentication method: ===

65

66

67

Microsoft recommends the certificate authentication method.

68

69

70

Configuring Intune with a certificate is very similar to the //secret client key// authentication method. You only need to upload the certificate and enter its password.

71

72

Select //Certificate// as the authentication type. Enter the certificate to be used in the Certificate field. Only .pfx files can be uploaded. Then enter the certificate password, if available. Also enter the Application ID (Client) (the ID is used to identify the user to Intune) and the Directory ID (Tenant) (it runs under the tenant) in the fields provided. Both strings can be found in the general information of the previously registered business application on the Azure AD pages.

73

74

75

[[image:65_Eingabe der Anwendungs- und Verzeichnis-ID.png||data-xwiki-image-style-alignment="center"]]

76

77

78

Enter the application and directory ID

[[image:65_AESB_Hochladen des Zertifikats.png||data-xwiki-image-style-alignment="center"]]

84

85

86

Uploading the certificate

=== Option 2: **Secret client key authentication method:** ===

91

92

Select //secret client key// as the authentication type. Under //secret client key//, enter the value that you generated as the secret key on the [[Azure Active Directory pages>>doc:||anchor="HUploadclientsecretkeyorcertificates"]].

93

94

95

Please note that the value is displayed in abbreviated form. This means that it will have a different character length when entered in the AESB console.

[[image:65_Eingabe des geheimen Clientschlüssels.png||data-xwiki-image-style-alignment="center" height="234" width="1000"]]

100

101

102

Enter the secret client key

Also enter the Application ID (Client) (the ID is used to identify the user to Intune) and the Directory ID (Tenant) (under which the Tenant runs) in the fields provided. Both strings can be found in the general information of the previously registered Enterprise Application (Azure AD).

107

108

109

[[image:65_Eingabe der Anwendungs- und Verzeichnis-ID.png||data-xwiki-image-style-alignment="center"]]

110

111

112

Enter the application and directory ID

[[image:65_AESB_Eingabe der Informationen zum geheimen Clientschlüssel.png||data-xwiki-image-style-alignment="center"]]

118

119

120

Enter the info for the secret client key

Click //Verify Connection//. If the connection is successful, you will be taken to the //scanner configuration//, where you can optionally set time intervals for the scanner. If you do not want to make any changes, click //Next//.

125

126

The Intune adapter installation will begin in the background. When the installation is complete and all items have been successfully installed, you can click //Finish//. You will be returned to the AESB Console Overview page. There are several places in the AESB Console where you can check that the installation was successful and that all the required applications are available:

127

128

|**Navigation point**|**Description**

129

|Microservices|Below the Supervisors & microservice instances, you will see the entries //IntuneConnector_1 //and //IntuneWorkflowEngine_1//.

130

|Workflows|Within the Workflow engines & instances section, the entries //IntuneWorkflowEngine_1 //and //IntuneMobileDevices_1 //must be listed.

131

132

133

You can also install the Intune Connector more than once. This allows you to use both the secret client key and the certificate as the authentication type. A dual installation is useful, for example, if you are using multiple ACMP servers and want the data to flow to them. Multiple installations will increment the microservices and workflow entries. In this case, you would have, for example, //IntuneWorkflowEngine_1//,// IntuneWorkflowEngine_2, and IntuneMobileDevices_1 and IntuneMobileDevices_2//.

134

135

136

= How to use Intune in ACMP =

137

138

Once you have set up the ACMP Intune Connector, devices are imported from Intune into ACMP. You can use this data in queries and reports, for example. You can also send some actions to the devices through ACMP.

== Query Actions ==

Navigate to //Client Management// > //Query Management//. Open a query that contains the required Clients.

143

144

In the query result set you will see the inventoried Client types (e.g. Clients of type Android, iOS or Windows). Select the Clients on which you want to perform an Intune action.

145

146

147

[[image:65_Abfrageaktionen_Intune relevante Abfrageaktionen.png||data-xwiki-image-style-alignment="center"]]

148

149

150

Intune-relevant Query Actions

You can choose between the following actions:

155

156

157

Note that any subsequent actions (sending notifications,retire devices, etc.) that you want to send or perform on the endpoint via Intune may be delayed. The status of the job will be shown as //Finished// in the Job Monitor as the action has been executed by ACMP and successfully passed to Intune.

158

159

160

|**Query Actions**|(% style="width:1141px" %)**Description**

161

|Send Intune notification|(% style="width:1141px" %)You can use this action to send Intune notifications to the [[Company Portal app>>https://apps.microsoft.com/store/detail/unternehmensportal/9WZDNCRFJ3PZ?hl=de-de&gl=de]] on the selected devices. The messages may also appear on lock screens or in the Android apps. Make sure you only share information that is not too sensitive if you want to send notifications about it.

162

\\Enter both a title and body text, then click //Execution//.

163

|Retire Intune devices|(% style="width:1141px" %)This action deletes the Intune-specific settings on the selected devices. It also removes the //Company Portal app// and deletes the selected devices from Intune Management.

164

|Wipe Intune devices|(% style="width:1141px" %)If you want to reset an Intune device to its factory settings, choose this action. This will also delete the device from Intune Management. You must select the checkbox for this step and confirm the confirmation prompt before you can perform the action.

165

|Remotely lock Intune devices|(% style="width:1141px" %)If you want to lock Intune devices remotely, you can do so from the Action. This requires the user to correctly enter their chosen security mechanism (PIN, password, facial recognition, etc.) on the endpoint to unlock the device.

166

|Synchronize Intune devices|(% style="width:1141px" %)This action causes selected Intune devices to send their inventory data to Intune. This allows you to keep devices up to date with the latest information.

== Client Details ==

If you want to view information about an Intune device, you can get all the relevant data from the Client Details. To do this, navigate to the required client in a query and double-click to open the details.

171

172

Under the //Mobile Device Management// > //Mobile Device// menu, you can find all the information about the stored mobile device. If you want to perform an Intune related action on the selected Client, you can use the options in the [[quick selection bar>>https://apps.microsoft.com/store/detail/unternehmensportal/9WZDNCRFJ3PZ?hl=de-de&gl=de]].

173

174

175

There are fields for all the information stored here, which you can use in queries, filters and reports, for example.

[[image:65_Abfrageaktion_Ansicht der Intune Client Details.png||data-xwiki-image-style-alignment="center"]]

180

181

182

View of the Intune Client details

183

184

author	version	line-number	content
		1	{{aagon.priorisierung}}
		2	160
		3	{{/aagon.priorisierung}}
		4
		5	{{aagon.floatingbox/}}
		6
		7	Microsoft Intune is a cloud-based solution that helps you manage your mobile devices. It allows you to remotely manage devices, secure access or even lock them down. With the ACMP Intune Connector, you can inventory the devices from Intune in ACMP and send the most important actions to the devices from ACMP.
		8
		9	= Requirements for using the ACMP Intune Connector =
		10
		11	To use the ACMP Intune Connector, the following requirements must be met:
		12
		13	* You need a user account with the appropriate permissions for Microsoft Entra ID
		14
		15	{{box}}
		16	Refer to the [[//Registering an enterprise application in Microsoft Entra ID//>>doc:ACMP.68.Unternehmensanwendung registrieren in der Microsoft Entra ID.WebHome]] section for information on how to register an app and distribute the necessary permissions.
		17	{{/box}}
		18
		19	* There must be a connection between AESB and ACMP. AESB must be available for this and the necessary details of the [[SICS connection>>doc:\|\|anchor="H1.ACMPconsole:CheckSICSconnectioninACMP"]] must be stored in ACMP
		20	* AESB must be at least version 1.8
		21	* You need a working internet connection, as Intune is a cloud solution and requires a network connection to work.
		22	* A running instance of Intune
		23
		24	= Prepare for Microsoft Entra ID and distribute permissions =
		25
		26	In order for the ACMP Intune Connector to access the Intune API, you must first register a company application in the Microsoft Entra Admin Centre and grant the necessary permissions within these applications (see [[//Registering a company application in Microsoft Entra ID//>>url:https://doc.aagon.com/bin/view/ACMP/68/Unternehmensanwendung%20registrieren%20in%20der%20Microsoft%20Entra%20ID/]]).
		27
		28	= Configuration in AESB and ACMP =
		29
		30	Before you can use Intune in ACMP, you need to do some preliminary work in the ACMP and AESB consoles.
		31
		32	== 1. ACMP console: Check SICS connection in ACMP ==
		33
		34	It is necessary that you have a working SICS connection in ACMP. To do this, go to //System// > //Settings// > //ACMP Server// > //SICS Connection//. First tick the box to enable the connection. Then enter the host and port, as well as the user name and password for the operator. You specified the corresponding operator during the installation of the AESB, which you must also specify here. Specify whether to attempt an unencrypted connection if SSL/TLS fails. Then test the connection.
		35
		36	Also tick the Public API access rights box to grant access. You can now save your settings. ACMP and SICS are now connected to each other.
		37
		38	{{figure}}
		39	[[image:65_Intune_SICS-Verbindung_575.png\|\|alt="65_ACMP_Einstellungen_SICS Verbindung.png" data-xwiki-image-style-alignment="center"]]
		40
		41	{{figureCaption}}
		42	Set up SICS connection in ACMP
		43	{{/figureCaption}}
		44	{{/figure}}
		45
		46	== 2. AESB console: Install and configure the Intune Connector ==
		47
		48	Now go to the AESB console. From the Dashboard, navigate to the //Products// menu item. In the overview you will find a list of all packages available for installation or updates. Select //ACMP Intune Adapter// and click //Install// either in the quick selection bar or directly in the fields. A new window will open and the installation will begin.
		49
		50	{{figure}}
		51	[[image:65_AESB_Übersicht des ACMP Intune Adapters in der AESB Console.png\|\|data-xwiki-image-style-alignment="center"]]
		52
		53	{{figureCaption}}
		54	Overview of the ACMP Intune Adapter in the AESB Console
		55	{{/figureCaption}}
		56	{{/figure}}
		57
		58	The first step tells you what you need to have already done to successfully install the Intune Adapter: You need a configured and working Microsoft Intune instance and a working ACMP SICS connection. In the second step of the installation wizard, you have the option to assign a template name at the top of the pages.
		59
		60	Under //Intune Connector Configuration//, you can set basic settings for the Intune Connector. Under ACMP Server ID, you need to specify the server to which the changes will be sent. If you enter an asterisk, the changes will be sent to all ACMP servers that have a SICS connection and whose connection information is identical to the information you entered in step //[[1. ACMP console: Check SICS connection in ACMP>>doc:\|\|anchor="H1.ACMPconsole:CheckSICSconnectioninACMP"]]//. You can also specify the name of the workflow instance under which the settings are to be sent. You can do this under //Ondemand definition name//.
		61
		62	In the //Intune Configuration// menu item, you can now use one of the two login methods: the secret client key or a certificate.
		63
		64	=== Option 1: Certificate authentication method: ===
		65
		66	{{aagon.infobox}}
		67	Microsoft recommends the certificate authentication method.
		68	{{/aagon.infobox}}
		69
		70	Configuring Intune with a certificate is very similar to the //secret client key// authentication method. You only need to upload the certificate and enter its password.
		71
		72	Select //Certificate// as the authentication type. Enter the certificate to be used in the Certificate field. Only .pfx files can be uploaded. Then enter the certificate password, if available. Also enter the Application ID (Client) (the ID is used to identify the user to Intune) and the Directory ID (Tenant) (it runs under the tenant) in the fields provided. Both strings can be found in the general information of the previously registered business application on the Azure AD pages.
		73
		74	{{figure}}
		75	[[image:65_Eingabe der Anwendungs- und Verzeichnis-ID.png\|\|data-xwiki-image-style-alignment="center"]]
		76
		77	{{figureCaption}}
		78	Enter the application and directory ID
		79	{{/figureCaption}}
		80	{{/figure}}
		81
		82	{{figure}}
		83	[[image:65_AESB_Hochladen des Zertifikats.png\|\|data-xwiki-image-style-alignment="center"]]
		84
		85	{{figureCaption}}
		86	Uploading the certificate
		87	{{/figureCaption}}
		88	{{/figure}}
		89
		90	=== Option 2: Secret client key authentication method: ===
		91
		92	Select //secret client key// as the authentication type. Under //secret client key//, enter the value that you generated as the secret key on the [[Azure Active Directory pages>>doc:\|\|anchor="HUploadclientsecretkeyorcertificates"]].
		93
		94	{{aagon.infobox}}
		95	Please note that the value is displayed in abbreviated form. This means that it will have a different character length when entered in the AESB console.
		96	{{/aagon.infobox}}
		97
		98	{{figure}}
		99	[[image:65_Eingabe des geheimen Clientschlüssels.png\|\|data-xwiki-image-style-alignment="center" height="234" width="1000"]]
		100
		101	{{figureCaption}}
		102	Enter the secret client key
		103	{{/figureCaption}}
		104	{{/figure}}
		105
		106	Also enter the Application ID (Client) (the ID is used to identify the user to Intune) and the Directory ID (Tenant) (under which the Tenant runs) in the fields provided. Both strings can be found in the general information of the previously registered Enterprise Application (Azure AD).
		107
		108	{{figure}}
		109	[[image:65_Eingabe der Anwendungs- und Verzeichnis-ID.png\|\|data-xwiki-image-style-alignment="center"]]
		110
		111	{{figureCaption}}
		112	Enter the application and directory ID
		113	{{/figureCaption}}
		114	{{/figure}}
		115
		116	{{figure}}
		117	[[image:65_AESB_Eingabe der Informationen zum geheimen Clientschlüssel.png\|\|data-xwiki-image-style-alignment="center"]]
		118
		119	{{figureCaption}}
		120	Enter the info for the secret client key
		121	{{/figureCaption}}
		122	{{/figure}}
		123
		124	Click //Verify Connection//. If the connection is successful, you will be taken to the //scanner configuration//, where you can optionally set time intervals for the scanner. If you do not want to make any changes, click //Next//.
		125
		126	The Intune adapter installation will begin in the background. When the installation is complete and all items have been successfully installed, you can click //Finish//. You will be returned to the AESB Console Overview page. There are several places in the AESB Console where you can check that the installation was successful and that all the required applications are available:
		127
		128	\|Navigation point\|Description
		129	\|Microservices\|Below the Supervisors & microservice instances, you will see the entries //IntuneConnector_1 //and //IntuneWorkflowEngine_1//.
		130	\|Workflows\|Within the Workflow engines & instances section, the entries //IntuneWorkflowEngine_1 //and //IntuneMobileDevices_1 //must be listed.
		131
		132	{{aagon.infobox}}
		133	You can also install the Intune Connector more than once. This allows you to use both the secret client key and the certificate as the authentication type. A dual installation is useful, for example, if you are using multiple ACMP servers and want the data to flow to them. Multiple installations will increment the microservices and workflow entries. In this case, you would have, for example, //IntuneWorkflowEngine_1//,// IntuneWorkflowEngine_2, and IntuneMobileDevices_1 and IntuneMobileDevices_2//.
		134	{{/aagon.infobox}}
		135
		136	= How to use Intune in ACMP =
		137
		138	Once you have set up the ACMP Intune Connector, devices are imported from Intune into ACMP. You can use this data in queries and reports, for example. You can also send some actions to the devices through ACMP.
		139
		140	== Query Actions ==
		141
		142	Navigate to //Client Management// > //Query Management//. Open a query that contains the required Clients.
		143
		144	In the query result set you will see the inventoried Client types (e.g. Clients of type Android, iOS or Windows). Select the Clients on which you want to perform an Intune action.
		145
		146	{{figure}}
		147	[[image:65_Abfrageaktionen_Intune relevante Abfrageaktionen.png\|\|data-xwiki-image-style-alignment="center"]]
		148
		149	{{figureCaption}}
		150	Intune-relevant Query Actions
		151	{{/figureCaption}}
		152	{{/figure}}
		153
		154	You can choose between the following actions:
		155
		156	{{aagon.infobox}}
		157	Note that any subsequent actions (sending notifications,retire devices, etc.) that you want to send or perform on the endpoint via Intune may be delayed. The status of the job will be shown as //Finished// in the Job Monitor as the action has been executed by ACMP and successfully passed to Intune.
		158	{{/aagon.infobox}}
		159
		160	\|Query Actions\|(% style="width:1141px" %)Description
		161	\|Send Intune notification\|(% style="width:1141px" %)You can use this action to send Intune notifications to the [[Company Portal app>>https://apps.microsoft.com/store/detail/unternehmensportal/9WZDNCRFJ3PZ?hl=de-de&gl=de]] on the selected devices. The messages may also appear on lock screens or in the Android apps. Make sure you only share information that is not too sensitive if you want to send notifications about it.
		162	\\Enter both a title and body text, then click //Execution//.
		163	\|Retire Intune devices\|(% style="width:1141px" %)This action deletes the Intune-specific settings on the selected devices. It also removes the //Company Portal app// and deletes the selected devices from Intune Management.
		164	\|Wipe Intune devices\|(% style="width:1141px" %)If you want to reset an Intune device to its factory settings, choose this action. This will also delete the device from Intune Management. You must select the checkbox for this step and confirm the confirmation prompt before you can perform the action.
		165	\|Remotely lock Intune devices\|(% style="width:1141px" %)If you want to lock Intune devices remotely, you can do so from the Action. This requires the user to correctly enter their chosen security mechanism (PIN, password, facial recognition, etc.) on the endpoint to unlock the device.
		166	\|Synchronize Intune devices\|(% style="width:1141px" %)This action causes selected Intune devices to send their inventory data to Intune. This allows you to keep devices up to date with the latest information.
		167
		168	== Client Details ==
		169
		170	If you want to view information about an Intune device, you can get all the relevant data from the Client Details. To do this, navigate to the required client in a query and double-click to open the details.
		171
		172	Under the //Mobile Device Management// > //Mobile Device// menu, you can find all the information about the stored mobile device. If you want to perform an Intune related action on the selected Client, you can use the options in the [[quick selection bar>>https://apps.microsoft.com/store/detail/unternehmensportal/9WZDNCRFJ3PZ?hl=de-de&gl=de]].
		173
		174	{{aagon.infobox}}
		175	There are fields for all the information stored here, which you can use in queries, filters and reports, for example.
		176	{{/aagon.infobox}}
		177
		178	{{figure}}
		179	[[image:65_Abfrageaktion_Ansicht der Intune Client Details.png\|\|data-xwiki-image-style-alignment="center"]]
		180
		181	{{figureCaption}}
		182	View of the Intune Client details
		183	{{/figureCaption}}
		184	{{/figure}}

Wiki source code of ACMP Intune Connector