TEXAS A&M UNIVERSITY
Intune Documentation
Audience: Platform Engineering, distributed unit administrators, TechHub
Purpose: Comprehensive guide for Microsoft Intune endpoint management
Quick Links
| Resource | Description |
|---|---|
| Intune Portal | Microsoft Endpoint Manager admin center |
| Autopilot Onboarding | Device enrollment procedures |
| Autopilot Offboarding | Device decommissioning process |
| Scope Groups & Naming | Naming conventions and group types |
| RBAC Roles | Custom endpoint management roles |
Overview
Microsoft Intune provides centralized mobile device management (MDM) and mobile application management (MAM) capabilities. This documentation covers best practices, policy configuration, compliance management, and device enrollment across Windows and Android platforms.
Windows Autopilot
Windows Autopilot streamlines device provisioning by pre-configuring devices in the cloud before they reach end users.
Deployment Profiles
| Profile Type | Use Case |
|---|---|
| User-Driven | Standard deployment for assigned devices |
| Self-Deploying | Kiosks, shared devices, and labs |
| Pre-Provisioned | IT-prepared devices for immediate use |
Standard TAMU Profiles
_TAMU User Driven with Pre Provision v2— Standard user device profile- Custom unit profiles (e.g.,
CLBA_GENERAL_SHARED) — Unit-specific kiosk/shared configurations
Key Procedures
| Procedure | Description |
|---|---|
| Autopilot Onboarding | Manual enrollment when vendor provisioning fails |
| Autopilot Offboarding | Decommissioning devices from Autopilot |
| Bulk Upload & Naming | Hardware ID collection and Graph API renaming |
| Deployment Profiles & ESP | Requesting and configuring profiles |
Scope Groups
Scope groups provide structured policy targeting across the organization. Each group type serves a specific purpose:
| Group Type | Purpose | Example |
|---|---|---|
| DSG (Device) | Device object collections | DSG - CLED - Faculty Laptops |
| USG (User) | User account groupings | USG - CLED - Faculty Users |
| ESG (Experience) | Combined user/device bundles | ESG - CLED - Standard Faculty Experience |
| PSG (Policy) | Policy/app assignments | PSG - Required - User - CLED - Office 365 |
| RSG (Role) | PIM-elevated access groups | RSG - CLED - Autopilot Admins |
All scope groups must be created within the unit's designated Administrative Unit (e.g., AU-CLED). Personnel must have the Groups Administrator role elevated via PIM for their AU.
For detailed naming conventions, see Scope Groups and Naming.
Custom RBAC Roles
TAMU uses custom RBAC roles to enforce least-privilege access. Key roles include:
| Role | Description |
|---|---|
| TAMU Autopilot Administrator | Full Autopilot profile and device management |
| TAMU Application Administrator | App creation, deletion, and assignment |
| TAMU Application Operator | App management and assignment (no creation) |
| TAMU Android Administrator | Android Enterprise and FOTA management |
| TAMU Device Operator | Device actions (wipe, retire, sync) |
| TAMU Security Operator | Security baselines and compliance monitoring |
For complete role definitions, see Endpoint Custom Roles.
Related Documentation
Platform Integration
- Entra ID Best Practices — PIM configuration and conditional access
- Windows Update Experience — Update rings and Autopatch
Security & Compliance
- OneDrive Personal Sync Prevention — Blocking personal account sync
- Universal App Requirements — Requirement rules for Win32 apps
Reference Materials
- Microsoft Autopilot Overview — Official documentation
- Intune Device Lifecycle — Device cleanup procedures
- Dynamic Group Membership — Entra ID dynamic groups