none
Intune DEM account security. RRS feed

  • Question

  • HI all, I am still quiet new to Intune.

    I am going to implement Intune on my environment and my side requirement is to use only one account to be implement across few hundred machine. I have look through Intune document and suggested and plan to use DEM (Device enrolment manager) and we are not allow to let user to have the DEM account password. I believe someone suggested me to use bulk enrolment , but my environment only want to be simple and use one account across all device to be manage. but here is some of the question that I am concern.

    1. user is able to just sign into www.office.com on the internet browser without keying in the DEM account user name and password. I believe this is using SSO (Single Sign On). how do I prevent this from happening? (note: I do not want to block the link www.office.com)

    2. if this is by design. what can using do when they sign into www.office.com. what kind of damage can do done to my production environment.
     
    Thursday, May 16, 2019 2:59 AM

All replies

  • > use only one account to be implement across few hundred machine

    Why is this a requirement?

    Is your questions specific to a single device type such as iOS, Android, or Windows?


    Jason | https://home.configmgrftw.com | @jasonsandys

    Thursday, May 16, 2019 4:02 AM
  • Windows 10 machine. our machine is all common machine that have a standard local account, all those local account is all common e.g USER 1. we just want to use MDM with register to enroll it into Intune. 

    our environment got few site. our engineer will go down to each site to enroll those machine. so we are using one common account "DEM" to enroll all the window 10 machine. we can't let the engineer to remember so many hundred of azure user account to enroll all those device. not to mention all the machine is there is an existing standard user account. user will still want to login into their own standard local account.    

    is something similar to AD, like using a administrator account to join all those machine into domain. I know this is different. but my site mention they don't want to use so many azure ad account to do that. but now DEM account got the problem above. 

    anyone can advice?
    • Marked as answer by Chang Hian Thursday, May 16, 2019 4:27 AM
    • Unmarked as answer by Chang Hian Thursday, May 16, 2019 4:27 AM
    • Edited by Chang Hian Thursday, May 16, 2019 8:10 AM
    Thursday, May 16, 2019 4:22 AM
  • Hi Chang,

    Please understand that if user use the device without switching to the local standard user, the DEM account device will sign in automatically when signing into www.office.com with DEM account. If user switches to the local standard user and sign into the www.office.com, it will not sign in automatically. Therefore, it depends which user account is used for logging in on the current device. I think we can guide users switch to their local standard user account after enrollment.

    On the other hand, if the user doesn’t switch to the standard account and use the DEM account to sign in the www.office.com, it will consume office license. To restrict this phenomenon, we can control the number of office license can be assigned in the Intune.  We can locate to Dashboard->Users - All users->DEM account – Licenses->Assign license to control assigned license.

    Best regards,

    Cici Wu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, May 17, 2019 2:54 AM
  • may I know which I should turn off? under licenses?
    Friday, May 17, 2019 5:49 AM
  • Hi Chang,

    Based on my test, I turned off some options, such as"Office Online" and tried to access www.office.com again, but I can still sign in this portal. Even I remove the office license from the user in the Intune, I can still sign in but without anything to be configured. 

    During all the test, only if I sign in the office 365 admin portal and block sign-in with this account, then it will be blocked to sigh in the portal.

    Best regards,

    Cici


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, May 17, 2019 8:30 AM
  • You may want to enroll the devices into Microsoft Intune using Windows Autopilot Self Deploying Mode. This does require that your devices have Windows 10 1809 or higher installed and a TPM 2.0 chip, so you may need to upgrade them and harvest the hardware hashes for Windows Autopilot. But this allows you to enroll the devices into Intune without a user at all.

    With Self-Deploying mode, there are no local administrators on the device by default. Also, there is no user associated to a device. If you require local administrator permissions on a device, add an account to the Azure AD Device Administrators role.

    Friday, May 17, 2019 8:36 AM
  • Hi Cici Wu, I have try to block Sign-in. This will also prevent User to sync any policy. really appreciate for your time and help to help me test. 
    Friday, May 17, 2019 11:15 AM
  • Hi all, I have open a Microsoft ticket to this case. they have helped me to solved the issue. Setting > Email & accounts > On the DEM account click on Manage > this will auto sign  into the browser using the DEM account, on Manage account click on Sign out everywhere. this will sign out all my DEM account on all my environment but still keep my device enrolled. 
    Friday, May 17, 2019 11:25 AM