This guide will help you set up and enrol Windows OS devices on the Mobile Guardian platform through Azure Active Directory and Microsoft Endpoint Manager (Intune).
These steps will help you successfully set up and enrol your Windows OS devices on the Mobile Guardian platform via Azure Active Directory and Microsoft Endpoint Manager. Ensure all permissions and roles are correctly assigned for seamless integration.
In order to manage your Windows OS devices through the Mobile Guardian School Dashboard, the following steps need to be completed:
- Azure Active Directory
- Mobile Guardian Dashboard
- Microsoft Endpoint Manager (Intune)
Setting Up and Enrolling Windows OS Devices with Mobile Guardian via Azure Active Directory
Prerequisites
Global Administrator Role: Ensure the account used to access Azure has the Global Administrator role.
- Sign in to Azure Active Directory
- Navigate to Users > Select the User > Assigned Roles
- Verify the user has the Global Administrator role assigned.
Step 1: Create a Group in Azure Active Directory
Groups are essential for organising users, such as students, which will then be synced to the Mobile Guardian Dashboard.
Go to Azure Active Directory Home
- Select Groups in the left navigation column.
Create a New Group
Security groups are used to give group members access to applications, and resources and assign licenses. Group members can be users, devices, service principals, and other groups.
Microsoft 365 groups are used for collaboration, giving members access to a shared mailbox, calendar, files, SharePoint site, and so on. Group members can only be users.
- Click on New Group.
- Complete the necessary fields
- Click Create
- Refresh the window to see the newly created group.
Step 2: Create a Student Account
Mobile Guardian requires each device to have a distinct user account, ensuring proper device identification and management.
User Account Requirements
- Student Accounts: Students must be able to sign in to their devices using their Azure AD accounts.
- Complete User Information: While Azure AD might not require last names, Mobile Guardian does.
#Note: For each student account, please ensure all three fields (username, first name, and last name) are filled in.
Navigate to Users
- Select New User > Create New User.
Complete the Basics Tab
Fill in the required fields:
- User Principal Name
- Display Name
- Password (Save the auto-generated password if applicable).
- Click Next: Properties.
Fill in the Properties Tab
- Complete the relevant information for the student and select Next.
Assign the User to a Group
- In the Assignments tab, assign the user to the respective group created earlier.
Review and Create the User
- On the Review + Create tab, ensure all information is correct and click Create.
- Refresh the screen to see the new user in the Users list.
Assign Licenses
- On the Active Directory dashboard, select Licenses in the left-hand navigation column.
- Assign the Azure Active Directory Premium P2 product to the user.
Step 3: Create the Mobile Guardian API Integration
To authenticate with the Microsoft identity platform endpoint, you must first register your app at the Azure app registration portal. You can use either a Microsoft account or a work or school account for this registration.
For a service that will call Microsoft Graph under its own identity, register your app for the Web platform and ensure you copy the following values:
- The application ID, is assigned by the Azure app registration portal.
- An application secret (password).
- A redirect URL for your service to receive token responses.
- A redirect URL for your service to receive admin consent responses if your app requests administrator consent.
For detailed steps on configuring an app using the Azure app registration portal, refer to the Microsoft documentation.
Register the Application
- Sign in to the Azure portal and navigate to Azure Active Directory > App registrations.
- Click on New Registration.
Fill in the Application Details
- Name: Enter the application name (e.g. Mobile Guardian).
- Supported Account Types: Select "Accounts in this organizational directory only (Default Directory only - Single tenant)".
- Platform: Choose Web.
- Redirect URLs: Enter the relevant URL for your instance (EU, US, SG, etc.).
Enter the Redirect URL for the Indonesia Instance:
https://id-api.mobileguardian.com/msapi/authorise/callback
Enter the Redirect URL for the EU Instance:
https://api.mobileguardian.com/msapi/authorise/callback
Enter the Redirect URL for the US Instance:
https://us-api.mobileguardian.com/msapi/authorise/callback
Register the Application
- Click Register to complete the process.
Step 4: Add a Client Secret
A client secret, sometimes referred to as an application password, is a string value that your app can use instead of a certificate to identify itself.
Client secrets are generally less secure than certificate credentials. While application developers may use client secrets during local app development for their convenience, it is recommended to use certificate credentials for any applications running in production.
Create a New Client Secret
- Navigate to Certificates & Secrets
- Select your application from App registrations.
- Go to Certificates & secrets > Client secrets > New Client Secret.
- Add a description for the client secret.
- Set an expiration value (Microsoft recommends less than 12 months).
- The Client secret lifetime is limited to two years (24 months) or less. You can't specify a custom lifetime longer than 24 months.
- Click Add.
#Note: Copy and save the secret's Value immediately as it won't be displayed again.
Step 5: Configure Permissions
Go to API Permissions
- Select API permissions in the left-hand navigation column.
- In the Azure app registrations portal, under an application's API permissions page, choose Add a Permissions > Microsoft Graph
- Click Add a permission > Microsoft Graph.
- Add the following application permissions:
- Device.Read.All
- User.Read.All
- DeviceManagementManagedDevices.ReadWrite.All
- Group.Read.All
- Ensure Admin consent required is set to Yes for each permission.
Next, we will move to part two of the enrolment.
We hope you found this useful.
Thanks for reading! 🙂