This article provides an overview of new features which have been added to NHSmail Intune recently in order to enhance user experience and / or the security of the platform. This article will be updated periodically as and when additional new features are added.

MacOS Deployment

The NHSmail team are pleased to announce the macOS deployment solution to NHS Local Organisations on the Intune Platform.

MacOS devices are one of the supported platforms in Microsoft Intune. As part of the NHSmail Intune backlog, we have deployed a solution for macOS device enrollment.

The supported enrolment solution for NHSmail Intune is Apple Automated Device enrolment.

Apple Automated Device enrollment allows the automation experience on devices registered via Apple Business Manager (ABM). This method deploys the enrollment profile over-the-air.

Apple Business Manager (ABM) is the Apple portal that enables enterprises to simplify and automate the bulk management and deployment of corporate-owned Apple devices, including MacOS, iOS and iPadOS. ABM provides a tight integration with Intune to allow secure and simplified user enrolment of devices.

To allow users to successfully enroll an MacOS devices, Intune Local Admins will need to download the Apple Device Enrolment (ADE) token from the Apple Business Manager (ABM) portal. This token will allow Intune to sync information about the Apple Device Enrolment (ADE) devices that an organization manages. In addition, the token allows Intune to upload Enrolment Profiles to Apple as well as assign devices to those profiles.

Detailed information on how to enable ABM can be found in the NHSmail Intune Operations Guide

Prerequisites

Prior to enrolling any MacOS devices onto Intune, the following minimum specifications should be validated:

• • Apple MacOS 10.15 and later
  • Devices reset for use are not currently part of another ABM.

For more information about this feature, please refer to the Operations Guide.

Windows Autopatch 

What is Autopatch?

Windows Autopatch is a Microsoft-Managed service that automates the deployment and management of updates for select Microsoft Products, including:

1. 1. Windows Feature and quality updates
   2. Microsoft 365 Apps for Enterprise updates
   3. Microsoft Edge updates
   4. Microsoft Teams client updates

Devices are marked healthy / unhealthy to indicate update status and can be monitored in the Intune UI blades to examine the coverage of updates in your organisation’s estate.

Windows Autopatch creates an update framework similar to Windows Update rings and devices can be aligned to ‘fast’ and ‘slower’ update cadence in a similar way.

To read a detailed description of the capabilities and operation of this framework, refer to the Microsoft Windows Autopatch Documentation reference

Android Device Renaming

In order to enable the renaming of Android Enterprise devices for all future devices enrolled into Intune, we have made changes to the NHSmail Intune automation to allow the renaming of devices.

This change allows the enrolling of Android Enterprise fully managed and dedicated (shared) devices to be renamed at the point when they are scoped / assigned to their organisation specific android groups using their ODS code.

In addition, a separate (centrally managed) PowerShell script was created to target existing enrolled Android devices to get them renamed. The script looks-up a list of organisational specific android groups from a .CSV file and renames each fully managed / shared device within the groups listed.

To adopt renaming for existing Android devices, LAs should raise a service request and the Intune Live Service team will execute the update on their behalf.

Important Notes for adoption:

The resulting naming format for Each Android Device enrolment type are:

• Fully Managed Devices: “ODS-OS-First Name-Last Name-Serial Number”.
• Dedicated (Shared) Devices: “Enrollment profile–OS-Serial Number”.

Example: “LSP01-AndroidEnterprise-Sean-Kaila-RZ8NC0VYP2X”

 

For more information about this feature, please refer to the Operations Guide.

Sync Engine Multiple OU Recursion

The NHSmail team are pleased to announce the release of this feature to Local Organisations on the hybrid platform.

The following update is relevant to both ‘hybrid tracks:

• • Hybrid Join – Devices Hybrid Joining to NHS.net Azure AD
  • Cloud+SSO – AAD-Joined devices with User Identity enhancements

The synchronization engine pre-stages devices, which are provided by the Local organization, into Azure AD using the NHSmail IAAS services. Additionally, the sync engine prepares custom attributes for users and devices, making them ready for synchronization with NHS.net Azure AD.

Currently, the Sync Engine is restricted to searching a specific OU, set by local organizations, for devices and users. This update will enable Local Administrators (LAs) to conduct searches across multiple OU locations, with the added capability to recursively explore each sub-OU under multiple OUs selected by an LA.

This change will also add the capability to mark a hybrid organisation from being “Active” or “Inactive”. This will stop the hybrid join process for an organisation individually, so that the hybrid join operation isn’t stopped for all organisations onboarded.

Key Changes for Local Admins

Local Admins will be able to give Accenture / Avanade multiple OU location paths to expand the hybrid sync. After sending the OU paths, LAs can arrange the sub-OUs as required.

For more information about this feature, please refer to the Operations Guide.