Windows OS Onboarding: Part 1 - Mobile Guardian, Azure, & Endpoint Manager

This guide outlines the process for setting up and enrolling Windows OS devices on the Mobile Guardian platform using Microsoft Entra ID and Microsoft Endpoint Manager (Intune). Following these steps will enable a successful setup and enrolment. Ensure that all necessary permissions and roles are correctly configured for smooth integration.

Prerequisites:

To manage your Windows OS devices through the Mobile Guardian School Dashboard, the following are required:

• Microsoft Entra ID admin access
• Mobile Guardian Admin Dashboard access
• Microsoft Endpoint Manager (Intune) admin access
• Windows 10/11 Pro and up devices

 

Setting Up and Enrolling Windows OS Devices with Mobile Guardian via Microsoft Entra ID

#Note: Global Administrator Role: Ensure the account used to access Microsoft Entra ID has the Global Administrator role.

• Sign in to Microsoft Entra ID
• Navigate to Users > Select All Users > Select the User > Select Assigned Roles
• Verify the user has the Global Administrator role assigned.

Step 1: Create a Group in Microsoft Entra ID

Groups are essential for organising users, such as students, who will then be synced to your Mobile Guardian Dashboard. 

• Go to Microsoft Entra ID Home

• Select Groups in the left navigation column and select All Groups

Groups

• Security groups are used to give group members access to applications, resources and to assign licenses. Group members can be users, devices, service principals, and other groups.
• Microsoft 365 groups are used for collaboration, giving members access to a shared mailbox, calendar, files, SharePoint site, etc. 
  • Group members can only be users.

Creating a New Group:

• Click on New Group.
• Complete the necessary fields
• Click Create

 

 

• Refresh the window to see the newly created group.

 

Step 2: Create a Student Account

Mobile Guardian requires each device to have a distinct user account, ensuring proper device identification and management. 

User Account Requirements

• Student Accounts: Students must be able to sign in to their devices using their Microsoft Entra ID accounts.
• Complete User Information: While Microsoft Entra ID might not require last names, Mobile Guardian does. 

#Note: For each student account, please ensure all three fields (username, first name, and last name) are filled in.

Creating a new user

• Navigate to Users > All Users
• Select New User 
• Create New User

 

 

Complete the Basics Tab

Fill in the required fields:

• User Principal Name
• Display Name
• Password (Save the auto-generated password if applicable).
• Select Next: Properties

 

 

Fill in the Properties Tab

Complete the relevant information for the student:

• First Name
• Last Name
• User Type
• Ensure you add the email address for the user
• Select Next: Assignments

 

 

 

 

Assign the User to a Group

Assign the user to the respective group (created earlier):

• Select Add Group
• Select the Group (Check Box)
• Click Select

 

Review and Create the User

On the Review + Create tab, ensure all information is correct

• Click Create
• Refresh the screen to see the new user in the Users list.

 

 

Assign Licenses

When using Microsoft 365, you would need to purchase the licenses and distribute them to the users or groups through the Microsoft 365 admin center

 

To confirm the licences have been assigned to the user you may view it on Entra by navigating to:

• Users or Groups
• Select the User or Group
• Select Licenses 

The assigned licences would appear in the corresponding window. 

 

 

Step 3: Create the Mobile Guardian API Integration

To authenticate with the Microsoft identity platform endpoint, you must first register your app at the Microsoft Identity app registration portal. You can use either a Microsoft account or a work or school account for this registration.

For a service that will call Microsoft Graph under its own identity, register your app for the Web platform and ensure you copy the following values:

• The application ID is assigned by the Microsoft Identity app registration portal.
• An application secret (password).
• A redirect URL for your service to receive token responses.
• A redirect URL for your service to receive admin consent responses if your app requests administrator consent.

For detailed steps on configuring an app using the Microsoft Identity app registration portal, refer to the Microsoft documentation.

 

Register the Application

• Applications
• App registrations
• Click on New Registration

 

 

Fill in the Application Details:

• Name: Enter the application name (e.g. Mobile Guardian).
• Supported Account Types: Select "Accounts in this organisational directory only (Default Directory only - Single tenant)".
• Platform: Choose Web.
• Redirect URLs: Enter the relevant URL for your instance (EU, US, ID).
• Click Register to complete the process.

 

 

Enter the Redirect URL for the Indonesia Instance:

 

Enter the Redirect URL for the EU Instance:

 

Enter the Redirect URL for the US Instance:

 

 

Step 4: Add a Client Secret

A client secret, sometimes referred to as an application password, is a string value that your app can use instead of a certificate to identify itself.

 

Client secrets are generally less secure than certificate credentials. While application developers may use client secrets during local app development for their convenience, it is recommended to use certificate credentials for any applications running in production.

 

Create a New Client Secret

While on your newly created application from App registrations.

• Navigate to Certificates & Secrets
• Select New Client Secret.

 

• Add a description for the client secret.
• Set an expiration value (Microsoft recommends less than 12 months).

#Note: The Client secret lifetime is limited to two years (24 months) or less. You can't specify a custom lifetime longer than 24 months.

• Click Add.

#Note: Copy and save the secret Value immediately as it won't be displayed again.

 

 

#Note: Copy and save the secret Value immediately as it won't be displayed again.

 

Step 5: Configure Permissions

• Go to API Permissions
• Select Add a permission

 

• Under the Microsoft APIs tab, select Microsoft Graph
• Choose - Application permissions: Your application runs as a background service or daemon without a signed-in user.

 

 

Add the following application permissions:

• Device.Read.All
• User.Read.All
• DeviceManagementManagedDevices.ReadWrite.All
• Group.Read.All

#Note: You can search and select all the permissions before you select Add Permissions.

 

 

Ensure Admin consent required is set to Yes for each permission.

• If not, select Grant admin consent for Default Directory

 

Next, we will move to part two of the enrolment. 

 

We hope you found this useful.

Thanks for reading! 🙂