Microsoft Intune + Playbook

Deploying BlueFletch Enterprise via Microsoft Intune (Endpoint Manager) EMM

Overview

While the most seamless user experience for the BlueFletch Enterprise application suite is device enrollment through BlueFletch's EMM, customers already using Microsoft Intune may prefer to deploy BlueFletch Enterprise to their devices through Intune. The steps below describe the most efficient way to utilize Intune for deploying BlueFletch applications; Intune can install Playbook Agent, BlueFletch's enterprise installer app, from the Managed Google Play Store, and it will serve as the primary tool to install all other BlueFletch apps.

System Requirements

• License/Subscription for Microsoft Intune (Endpoint Manager)

• BlueFletch Portal Access (contact ems@bluefletch.com for more information)

• Zebra Android Device (running Android 6.0+)

Getting Started with Intune

1. Link Managed Play Google Play to Intune

First, ensure that your Intune environment is ready for Android Enterprise device enrollment and Managed Play Store deployments. To enable these features, you must first link a Managed Google Play account to Intune. Within Intune, navigate from the Home blade to Devices > Enroll Devices > Android Enrollment. For more information, please follow the guide from Microsoft.

2. Enroll Devices with Android Enterprise

Now that the prerequisites for Android Enterprise are complete, create an Enrollment Profile for Android devices. In the same Android Enrollment section in Intune, create an enrollment profile for corporate-owned dedicated devices.

Note: Other enrollment profiles can also be used, but the dedicated device option prevents associating enrolled devices with Azure Active Directory accounts and is ideal for shared-user enterprise Android devices. Please refer to the Microsoft documentation for more information regarding enrollment profiles.

3. Share Playbook App with Organization's Intune Enterprise

In order to access the Playbook Agent from the Managed Play Store for approval, BlueFletch must first share the app to your organization. Please reach out to your BlueFletch account manager for this request. The ID that needs to be provided can be found by following this guide from Google.

4. Auto Grant Permissions, Allow Unknown Apps, Allow Access to All Google Play Store Apps

In Intune, navigate to Devices > Android > Configuration Profiles. Click the + Create Profile button. Select "Android Enterprise" as the Platform and "Device Restrictions" as the Profile Type. Click Create. Name the profile “Grant All App Permissions & Allow All Apps” and select Next. Expand the General section and locate Default Permission Policy. Set the value to "Auto grant".

Scroll down and expand the Applications section. Locate Allow Installation from Unknown Sources and, directly below it, Allow access to all apps in Google Play store. Set the value for each to "Allow".

Click Next when those changes have been made.

Note: If your device admin has already designated a standard configuration policy, ensure these two settings have been included.

In the Assignments section, click Add groups and include the group(s) which contain the Zebra Android devices intended for Playbook deployment and click Next. For more information on creating groups and adding devices, please refer to this guide from Microsoft. Review the profile and then click Create when ready to deploy. This will pave the way for Playbook to automatically run and not require any user prompt acceptance/input.

Preparing BlueFletch Portal to Integrate with Intune EMM

1. Build Plays

Please refer to this guide for creating plays. Plays represent each single action in the process of Playbook Agent deploying BlueFletch Enterprise onto a device, such as downloading a file, installing an application, or invoking an intent.

2. Build Playbooks

Please refer to this guide for creating playbooks. Playbooks represent groups of plays. The Playbook Agent application uses playbooks to keep a device compliant with changes applied by a device admin.

3. Build Deployment Groups

Please refer to this guide for creating deployment groups. A deployment group is used to assign a playbook to a group of devices. A deployment group could represent a region or a single store.

Approving Playbook App in Play Store

After your BlueFletch account manager has confirmed Playbook has been shared to your organization (see Step 3 from Getting Started with Intune), navigate in Intune to Apps > Android. Click the + Add button. For App type, select "Managed Google Play app" and press Select. When the Google Play Stores opens, search for “BlueFletch” (quotation marks included). The Playbook Agent application should be shared with your organization. Reach out to your BlueFletch contact if it is not.

Click the Playbook icon and then click Approve.

On the pop-up for Permissions, click Approve.

Click Done with the radio button set to “Keep approved when app requests new permissions”.

Finally, click Select and then click Sync to return to the Apps list. Refreshing Apps should display Playbook, but there is often a delay; waiting 1-3 minutes may be required.

Assigning Playbook App

Once the Playbook app is approved for Intune, it must be assigned to a group so that it will show up on devices. Navigate to Apps > Android and select Playbook from the list. Select Properties and click the Edit button next to Assignments.

Under Required, click + Add group and select the group or groups that have the Zebra Android devices intended for Playbook deployment, the same group(s) selected in Step 4 of Getting Started with Intune. Make sure Group mode is "Included".

Press Review + save to review changes and then Save to apply.

Creating App Configuration for Playbook

To link the Playbook app to your BlueFletch Enterprise organization and deployment group, you must create an app configuration policy in Intune. Go to Apps blade and select App configuration policies.

Click + Add and select "Managed devices". Name the policy. Select "Android Enterprise" as the platform and "Fully Managed, Dedicated, and Corporate-Owned Work Profile Only" as the profile type. Select Playbook as the targetted app from the Associated app pane, and press OK and then Next to continue.

On Settings page, select "Use configuration designer" for the configuration settings format and click + Add. Select both available fields, "Organization Id" and "Deployment Group Id," from the side pane.

Leave the value type as String, and edit the configuration values to match your company's BlueFletch Enterprise Organization Id and Deployment Group Id. Press Next to continue to Assignments page, and click Add groups button from under Included groups. Select the group(s) that contain all Zebra Android devices (again, same groups as in Step 4 of Getting Started with Intune). Press Next to review and Create to save the policy.

Checking for Compliance

An admin can monitor the compliance of the device in Intune and in the BlueFletch Portal.

Intune monitors if a device conforms to its device compliance policies, has successfully installed all apps, and successfully applied device and app configuration profiles. To view these statuses, navigate to Devices > Android > Android devices. On the device list, each device will have a Compliance column, which correlates to the state of its device compliance profile.

Click on a device for more details. Under Monitor, the blades that track compliance are Device compliance, Device configuration, App configuration, and Managed Apps. Device compliance displays the compliance policy or policies on that device and their state, which may be "Compliant", "Not Compliant", or "Not Evaluated". Device configuration displays the configuration(s) that pertain to the device and whether the device successfully implemented them.

App configuration displays any configuration profiles that have been applied to the device, such as setting the Deployment Group ID and Organization ID for Playbook, as described above, and whether it was successfully applied to the device. Managed Apps displays all the Managed Google Play Store apps available for the device to install and the current installation status of each.

The BlueFletch Portal monitors if a device has successfully run all the plays in its assigned playbook. An admin can view this in Playbook MDM under the Devices subtab.