# Microsoft Intune

### Overview <a href="#overview" id="overview"></a>

Intune, or Endpoint Manager ([endpoint.microsoft.com](https://endpoint.microsoft.com/)), is Microsoft's mobile device manager (MDM) and enterprise mobility management (EMM) solution. While several of its prominent features are Windows-specific, it also supports Android devices and is an Android Enterprise Recommended solution.

### System Requirements <a href="#system-requirements" id="system-requirements"></a>

* License/Subscription for Microsoft Intune (Endpoint Manager)
* BlueFletch Portal Access (contact [**ems@bluefletch.com**](mailto:ems@bluefletch.com) for more information)

### Getting Started with Intune <a href="#getting-started-with-intune" id="getting-started-with-intune"></a>

#### 1. Link Managed Google Play to Intune <a href="#id-1-link-managed-play-google-play-to-intune" id="id-1-link-managed-play-google-play-to-intune"></a>

First, ensure that your Intune environment is ready for Android Enterprise device enrollment and Managed Play Store deployments. To enable these features, you must first link a Managed Google Play account to Intune. Within Intune, navigate from the ***Home*** blade to ***Devices*** > ***Enroll Devices*** > ***Android Enrollment***. For more information, please follow the [guide from Microsoft](https://docs.microsoft.com/en-us/mem/intune/enrollment/connect-intune-android-enterprise).

#### 2. Enroll Devices with Android Enterprise <a href="#id-2-enroll-devices-with-android-enterprise" id="id-2-enroll-devices-with-android-enterprise"></a>

Now that the prerequisites for Android Enterprise are complete, create an Enrollment Profile for Android devices. In the same ***Android Enrollment*** section in Intune, create an enrollment profile for corporate-owned dedicated devices.

> **Note:** Other enrollment profiles can also be used, but the dedicated device option prevents associating enrolled devices with Azure Active Directory accounts and is ideal for shared-user enterprise Android devices. Please refer to the [Microsoft documentation](https://docs.microsoft.com/en-us/mem/intune/enrollment/android-kiosk-enroll) for more information regarding enrollment profiles.

#### 3. Share BlueFletch Apps with Organization's Intune Enterprise <a href="#id-3-share-playbook-app-with-organizations-intune-enterprise" id="id-3-share-playbook-app-with-organizations-intune-enterprise"></a>

In order to install BlueFletch applications from the Managed Play Store, BlueFletch must first share the apps to your organization. Please reach out to your BlueFletch account manager for this request. The ID that needs to be provided can be found by following [this guide](https://support.google.com/googleplay/work/answer/7042126?hl=en) from Google.

#### 4. Auto Grant Permissions, Allow Unknown Apps, Allow Access to All Google Play Store Apps <a href="#id-4-auto-grant-permissions-allow-unknown-apps-allow-access-to-all-google-play-store-apps" id="id-4-auto-grant-permissions-allow-unknown-apps-allow-access-to-all-google-play-store-apps"></a>

In Intune, navigate to ***Devices*** > ***Android*** > ***Configuration Profiles***. Click the **+ Create Profile** button.\
Select "Android Enterprise" as the ***Platform*** and "Device Restrictions" as the ***Profile Type***. Click **Create**.\
Name the profile “Grant All App Permissions & Allow All Apps” and select **Next**.\
Expand the ***General*** section and locate ***Default Permission Policy***. Set the value to "Auto grant".

<figure><img src="/files/km43D5xD4lnBAJvsNY5h" alt=""><figcaption><p>Grant Permissions</p></figcaption></figure>

Scroll down and expand the ***Applications*** section. Locate ***Allow Installation from Unknown Sources*** and, directly below it, ***Allow access to all apps in Google Play store***. Set the value for each to "Allow".

<figure><img src="/files/Yt00QkQctIALRrKid3DT" alt=""><figcaption><p>Allow Access to All Apps</p></figcaption></figure>

Click **Next** when those changes have been made.

> **Note:** If your device admin has already designated a standard configuration policy, ensure these two settings have been included.

In the ***Assignments*** section, click **Add groups** and include the group(s) which contain the Android devices intended for BlueFletch app deployment and click **Next**. For more information on creating groups and adding devices, please refer to [this guide](https://docs.microsoft.com/en-us/mem/intune/fundamentals/groups-add) from Microsoft.

### App Deployment

1. In Microsoft Intune console, navigate to ***Apps*** > ***Android***.
2. Select **Add**, and then from the dropdown select "Managed Google Play app". Press **Select** at the bottom of the page.
3. Once inside the Google Play iFrame, select the **Sync** button.  This will bring you back to the previous page.
4. Repeat **step 2** above now that your apps have been synchronized, to return to the Google Play Store iFrame.
5. In the search box, type in "BlueFletch" with quotation marks around it, and then press enter.\
   ![](/files/F1sMtXm4845wKYpGuZbs)
6. You should see a list of applications that have been shared with your organization.  If you do not see any applications, reach out to your contact at BlueFletch for assistance.
7. Locate one of the applications that you want to deploy to your devices and click on it.  Press the **Select** button.  Press the back button to get back to the list of BlueFletch apps, and then select another one.  Repeat this process for all BlueFletch apps that you would like to deploy.
8. Once you have selected all the apps you would like to import from Google Play, press the **Sync** button in the top-left corner of the Google Play iFrame.  You will be brought back to the ***Android Apps*** page of Intune.
9. Wait a minute or two for the synchronization to complete, and then press the refresh button.  You should now see the apps in the Android apps list within intune.
10. Click on one of the applications and then select **Properties** tab from the left-hand side.
11. Next to ***Assignments*** select **Edit**.
12. Add a new "Required" group, user, or device assignment.
13. Once the assignment has been created, select the **Production** button underneath where it says tracks.  In the window that opens up, select the **Tracks** dropdown, and put a checkmark next to the latest version available.  Note that the production version will remain checked, but this is okay; Intune always deploys the newest version selected.<br>

    <figure><img src="/files/NSmmygqpzjpX30BhTIvP" alt=""><figcaption></figcaption></figure>
14. Once you have selected the latest version, select **OK**.  Add any other assignments you want and then select **Review + Save**.  On the next screen, select **Save**.
15. Repeat the above steps 10 through 14 for each of the apps you wish to deploy.

### Configuring BlueFletch Apps

1. Most of the BlueFletch apps are configured using the launcher.json file.  This file can be created using the GUI within the BlueFletch Portal under ***Enterprise Launcher*** ***> Configurations*** (reach out to your BlueFletch contact if you do not have access), or by editing the raw JSON.  The available parameters/settings can be found in the [Launcher Technical Documentation](https://docs.bluefletch.com/bluefletch-enterprise/product-guides/bluefletch-launcher/technical-guide).  Your BlueFletch contact can help you set up this configuration file.
2. Once you have created a configuration file, you will need to deploy it via an App Configuration Policy.
3. In Intune, go to ***Apps > Policy > App Configuration Policies***
4. Select ***Add > Managed Devices***
5. Enter a name for the policy, select "Android Enterprise", and select "Fully Managed, Dedicated, and Corporate-Owned Work Profile Only".  Click on **Select App**, and select "EMS Launcher", and "OK".  Select **Next**.<br>

   <figure><img src="/files/bmJT4iPE4qIiYEkrqGcB" alt=""><figcaption></figcaption></figure>
6. Under configuration settings format, select "Use Configuration Designer".
7. Under where it says "Use the JSON editor to configure the disabled configuration keys.", select the **+Add** button.  Select all three checkboxes, and press **OK**.
8. Enter the URL and checksum for the configuration file you wish to deploy to your devices (note that this can be found by pressing the **Copy URL** and **Copy checksum** buttons on the Enteprise Launcher configuration you created on the BlueFletch Portal).  Enter your BlueFletch Organization ID (which can be found on the BlueFletch Portal under ***Admin > Organization***).<br>

   <figure><img src="/files/l4PQCdo9QVyhxbofnYZ6" alt=""><figcaption></figcaption></figure>
9. Select **Next**.
10. On the following page, assign the app configuration policy to the same group as the EMS Launcher app is deployed to.
11. Click **Next**.  Click **Create**.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.bluefletch.com/bluefletch-enterprise/technical-documentation/deploying-bluefletch-enterprise/mdms/microsoft-intune.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.