Register your interest by completing the Intune Registration Form. The Intune team will then contact you to discuss a date to onboard. Prior to onboarding, you’ll just need to provide some basic details via the Onboarding Request Form. We’ll then be able to technically onboard your organisation and you can start enrolling devices.

Most NHSmail organisations who have the required licencing are eligible to join the NHSmail Intune Service. Currently, organisations that are managed by the National Administration Service (NAS) are unable to use the service.

The technical onboarding of organisations only takes a few hours. Once this has completed, we’ll confirm this and you can then begin enrolling devices.

To complete the Onboarding Request Form, you will need your organisation’s ODS Code, the nhs.net email addresses of all LAs who will need RBAC permissions, and the estimated number of users expected to use Intune-enrolled devices at your organisation.

Yes. Multi-organisations (those managing the devices of other organisations / having their devices managed by other organisations) can use NHSmail Intune.

For further details please see this article: https://support.nhs.net/knowledge-base/multi-organisation-management/

Yes, we can offer an introductory call to you as part of the onboarding process to provide an overview of the service and allow you to ask any specific questions.

No. Onboarding to use the platform does not commit your organisation to enrol a certain number of devices or to use it as your main MDM.

If you are a Local Administrator for your organisation and have been provided with RBAC permissions for NHSmail Intune, you should be able to access the Intune Portal to begin configuring your organisation’s environment and enrolling devices by following this link: https://endpoint.microsoft.com/

EMS E3 and AADP2 licences are required and will need to be assigned to all LAs and end users who will be using an Intune-enrolled device. These licences should have already been procured before completing and submitting the Onboarding Form. Procured EMS and AADP2 licences should be moved to the NHSmail Shared tenant. This is required to ensure that your licences are visible in the NHSmail Portal and available for LAs to manage through the NHSmail Portal.

If you have not already moved your EMS licences into the NHS Shared Tenant, you will be able to submit a Licence Onboarding Request via Helpdesk Self-Service so that this can be done.

Yes. We can still technically onboard your organisation even if you do not have the required licences yet. Please note however, you will not be able to use the functionality until licences have been procured and correctly assigned.

Most likely, the issue will be that you have not assigned an EMS E3 licences to individual users at your organisation. Once licences have been assigned to individual users, they should then be able to access the portal. For further details on assigning licences via User Policies in NHSmail please see these articles: https://support.nhs.net/knowledge-base/-a-user-policy/

https://support.nhs.net/knowledge-base/editicreatingng-and-removing-a-user-policy/

All users using shared Windows 10/11 devices will need an EMS E3 and AADP2 licence assigned to them.

Users using shared iOS and Android devices do not need an EMS E3 and AADP2 licence assigned to them.

Yes, this link will need to have been successfully completed before you will be able to enrol any iOS devices into NHSmail Intune.

To connect ABM to NHSmail Intune, organisations will need a device enrolment token from the Apple portal. This token lets Intune sync information for your Apple devices and permits Intune to upload enrolment profiles to Apple. A step-by-step guide to linking your ABM is included in the Operations Guide, although LAs are encouraged to raise a Service Request via Helpdesk Self-Service in order for the Intune Live Service team to support with this.

Yes. While you will need to link your ABM into NHSmail Intune when you are onboarding, this does not mean you need to unlink another MDM solution. This should make it easier for organisations to transition onto the NHSmail Intune Service, without leaving any devices unmanaged.

Any iOS/iPadOS, Android, Windows 10/11 (including Surface Hubs) or HoloLens 2 corporate devices can be enrolled.

There is no limit to the number of devices which can be managed via the NHSmail Intune Service.

Yes. You will just need to remove all devices you intend to onboard onto the NHSmail Intune Service from any previous MDM solution/s.

This is not usually possible, but it may depend on the MDM solution you were using previously. If you have previously used Microsoft Intune, you may be able to export and import policies and profiles, otherwise you will need to manually move policies.

Yes. When your organisation is onboarded, we will ask for an initial list of Local Admins to provide permissions to. If you need to add or remove individuals from this list, please raise a Service Request with the Intune Live Service Team via Helpdesk Self-Service.

NHSmail Intune provides three different RBAC roles.

1. Administrator role
2. First-line RBAC role
3. Read-only RBAC role

For further details on these roles please see the NHSmail Intune Operations Guide.

No. LAs are not able to manage groups of users and devices via the Intune portal. Local Admins will need to use the NHSmail Intune Security Group Management app to manage groups of users and devices in Intune.

Local Admins from onboarded organisations can access the Group Management Application by following this link: https://make.powerapps.com/environments/762c3051-5c30-48ed-adde-537f357687dd/apps

Guidance on how to use and manage Groups via this application can be found in the NHSmail Intune Operations Guide

All supporting documentation created to support onboarded organisations to smoothly transition onto the service can be found here.

In the first instance, LAs should refer to the Operations Guide for Local Administrators and Onboarding Managers to try to troubleshoot any technical issues. If support is still required, then LAs should submit an incident to the Intune Live Service Team via Helpdesk Self-Service.

Onboarded organisations can use the NHSmail Intune Teams channel to understand more about the experience of others on the platform. Onboarded organisations can also reach out for support directly from the Microsoft FastTrack Team. Further details available in this article: https://support.nhs.net/knowledge-base/microsoft-fasttrack-support/

No, the Intune Live Service Team and Microsoft FastTrack Team can remotely support with any technical issues and/or understanding more about NHSmail Intune but all on-site deployment activities are the responsibility of organisations.

Yes. For further details please see this article: https://support.nhs.net/knowledge-base/nhsmail-intune-service-co-management-and-certificate-provisioning/

Yes. Samsung Knox can be used. For further details, please see this article: https://support.nhs.net/knowledge-base/nhsmail-intune-service-samsung-knox-mobile-enrolment-kme/

Integration with Google Zero touch is in advanced testing and is likely to be available for onboarded organisations to use soon.

No. Cisco ISE is not compatible with NHSmail Intune.

mYes. There are 3 ways to manage Windows 10/11 devices on NHSmail Intune. For further details, please see this section: https://support.nhs.net/article-categories/windows-10-11/

Yes. The Intune Live Service Team will be able to support your organisation with understanding and progressing through the prerequisites. If you would like to request support, please contact the Intune Live Service Team or leave a message on the Intune Teams Channel.

A Bring Your Own Device (BYOD) project is currently in progress and in pilot phase. Please look out for updates on this via the NHSmail Intune Teams Channel.

Zebra Mobility Extension

Read-only RBAC permission

Autopilot Manufacturer Provisioning

Widows Store

Google Zero Touch

If there is a feature you would like to be added to NHSmail Intune, please let us know so we can add it to our Product backlog. You can request a new feature by contacting the Intune Live Service Team.

Please note that there is no guarantee we will be able to make your requested feature available.