# Microsoft Intune + Playbook

## Deploying BlueFletch Enterprise via Microsoft Intune (Endpoint Manager) EMM <a href="#deploying-bluefletch-enterprise-via-microsoft-intune-endpoint-manager-emm" id="deploying-bluefletch-enterprise-via-microsoft-intune-endpoint-manager-emm"></a>

### Overview <a href="#overview" id="overview"></a>

While the most seamless user experience for the BlueFletch Enterprise application suite is device enrollment through BlueFletch's [EMM](https://docs.bluefletch.com/bluefletch-enterprise/product-guides/portal/emm-console/overview), customers already using Microsoft Intune may prefer to deploy BlueFletch Enterprise to their devices through Intune. The steps below describe the most efficient way to utilize Intune for deploying BlueFletch applications; Intune can install Playbook Agent, BlueFletch's enterprise installer app, from the Managed Google Play Store, and it will serve as the primary tool to install all other BlueFletch apps.

### System Requirements <a href="#system-requirements" id="system-requirements"></a>

* License/Subscription for Microsoft Intune (Endpoint Manager)
* BlueFletch Portal Access (contact [**ems@bluefletch.com**](mailto:ems@bluefletch.com) for more information)
* Zebra Android Device (running Android 6.0+)

### Getting Started with Intune <a href="#getting-started-with-intune" id="getting-started-with-intune"></a>

#### 1. Link Managed Play Google Play to Intune <a href="#id-1-link-managed-play-google-play-to-intune" id="id-1-link-managed-play-google-play-to-intune"></a>

First, ensure that your Intune environment is ready for Android Enterprise device enrollment and Managed Play Store deployments. To enable these features, you must first link a Managed Google Play account to Intune. Within Intune, navigate from the ***Home*** blade to ***Devices*** > ***Enroll Devices*** > ***Android Enrollment***. For more information, please follow the [guide from Microsoft](https://docs.microsoft.com/en-us/mem/intune/enrollment/connect-intune-android-enterprise).

#### 2. Enroll Devices with Android Enterprise <a href="#id-2-enroll-devices-with-android-enterprise" id="id-2-enroll-devices-with-android-enterprise"></a>

Now that the prerequisites for Android Enterprise are complete, create an Enrollment Profile for Android devices. In the same ***Android Enrollment*** section in Intune, create an enrollment profile for corporate-owned dedicated devices.

> **Note:** Other enrollment profiles can also be used, but the dedicated device option prevents associating enrolled devices with Azure Active Directory accounts and is ideal for shared-user enterprise Android devices. Please refer to the [Microsoft documentation](https://docs.microsoft.com/en-us/mem/intune/enrollment/android-kiosk-enroll) for more information regarding enrollment profiles.

#### 3. Share Playbook App with Organization's Intune Enterprise <a href="#id-3-share-playbook-app-with-organizations-intune-enterprise" id="id-3-share-playbook-app-with-organizations-intune-enterprise"></a>

In order to access the Playbook Agent from the Managed Play Store for approval, BlueFletch must first share the app to your organization. Please reach out to your BlueFletch account manager for this request. The ID that needs to be provided can be found by following [this guide](https://support.google.com/googleplay/work/answer/7042126?hl=en) from Google.

#### 4. Auto Grant Permissions, Allow Unknown Apps, Allow Access to All Google Play Store Apps <a href="#id-4-auto-grant-permissions-allow-unknown-apps-allow-access-to-all-google-play-store-apps" id="id-4-auto-grant-permissions-allow-unknown-apps-allow-access-to-all-google-play-store-apps"></a>

In Intune, navigate to ***Devices*** > ***Android*** > ***Configuration Profiles***. Click the **+ Create Profile** button.\
Select "Android Enterprise" as the ***Platform*** and "Device Restrictions" as the ***Profile Type***. Click **Create**.\
Name the profile “Grant All App Permissions & Allow All Apps” and select **Next**.\
Expand the ***General*** section and locate ***Default Permission Policy***. Set the value to "Auto grant".

![Grant Permissions](https://799338798-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSxhNrDkmDAkv7QEWfOIh%2Fuploads%2F1qnQyn1W9co6P14bVpCN%2FIntune_deviceRestrictions.png?alt=media\&token=aea3567b-8826-4eaa-84cb-9b5f760eb44b)

Scroll down and expand the ***Applications*** section. Locate ***Allow Installation from Unknown Sources*** and, directly below it, ***Allow access to all apps in Google Play store***. Set the value for each to "Allow".

![Allow Apps](https://799338798-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSxhNrDkmDAkv7QEWfOIh%2Fuploads%2FPdzpNJRM8T4DJRj5lmpO%2FIntune_configProfile_allow.png?alt=media\&token=43fe1fcc-a8f9-457c-8faa-ab4add240b61)

Click **Next** when those changes have been made.

> **Note:** If your device admin has already designated a standard configuration policy, ensure these two settings have been included.

In the ***Assignments*** section, click **Add groups** and include the group(s) which contain the Zebra Android devices intended for Playbook deployment and click **Next**. For more information on creating groups and adding devices, please refer to [this guide](https://docs.microsoft.com/en-us/mem/intune/fundamentals/groups-add) from Microsoft.\
Review the profile and then click **Create** when ready to deploy. This will pave the way for Playbook to automatically run and not require any user prompt acceptance/input.

### Preparing BlueFletch Portal to Integrate with Intune EMM <a href="#preparing-bluefletch-portal-to-integrate-with-intune-emm" id="preparing-bluefletch-portal-to-integrate-with-intune-emm"></a>

#### 1. Build Plays <a href="#id-1-build-plays" id="id-1-build-plays"></a>

Please refer to [this guide](https://docs.bluefletch.com/bluefletch-enterprise/product-guides/portal/playbook-mdm/plays) for creating plays. Plays represent each single action in the process of Playbook Agent deploying BlueFletch Enterprise onto a device, such as downloading a file, installing an application, or invoking an intent.

#### 2. Build Playbooks <a href="#id-2-build-playbooks" id="id-2-build-playbooks"></a>

Please refer to [this guide](https://docs.bluefletch.com/bluefletch-enterprise/product-guides/portal/playbook-mdm/playbooks) for creating playbooks. Playbooks represent groups of plays. The Playbook Agent application uses playbooks to keep a device compliant with changes applied by a device admin.

#### 3. Build Deployment Groups <a href="#id-3-build-deployment-groups" id="id-3-build-deployment-groups"></a>

Please refer to [this guide](https://docs.bluefletch.com/bluefletch-enterprise/product-guides/portal/playbook-mdm/deployment-groups) for creating deployment groups. A deployment group is used to assign a playbook to a group of devices. A deployment group could represent a region or a single store.

### Approving Playbook App in Play Store <a href="#approving-playbook-app-in-play-store" id="approving-playbook-app-in-play-store"></a>

After your BlueFletch account manager has confirmed Playbook has been shared to your organization (see [Step 3](https://docs.bluefletch.com/bluefletch-enterprise/technical-documentation/deploying-bluefletch-enterprise/mdms/microsoft-intune/microsoft-intune) from **Getting Started with Intune**), navigate in Intune to ***Apps*** > ***Android***. Click the **+ Add** button.\
For ***App type***, select "Managed Google Play app" and press **Select**.\
When the Google Play Stores opens, search for “BlueFletch” (quotation marks included). The Playbook Agent application should be shared with your organization. Reach out to your BlueFletch contact if it is not.

Click the Playbook icon and then click **Approve**.

On the pop-up for Permissions, click **Approve**.

Click **Done** with the radio button set to “Keep approved when app requests new permissions”.

Finally, click **Select** and then click **Sync** to return to the ***Apps*** list. Refreshing ***Apps*** should display Playbook, but there is often a delay; waiting 1-3 minutes may be required.

### Assigning Playbook App <a href="#assigning-playbook-app" id="assigning-playbook-app"></a>

Once the Playbook app is approved for Intune, it must be assigned to a group so that it will show up on devices.\
Navigate to ***Apps*** > ***Android*** and select Playbook from the list.\
Select ***Properties*** and click the **Edit** button next to ***Assignments***.

Under ***Required***, click **+ Add group** and select the group or groups that have the Zebra Android devices intended for Playbook deployment, the same group(s) selected in [Step 4](https://docs.bluefletch.com/bluefletch-enterprise/technical-documentation/deploying-bluefletch-enterprise/mdms/microsoft-intune/microsoft-intune) of Getting Started with Intune.\
Make sure ***Group mode*** is "Included".

![Assign Groups](https://799338798-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSxhNrDkmDAkv7QEWfOIh%2Fuploads%2F0t8SvNw8MV4SpUwyt3zi%2FIntune_assignApp_groups.png?alt=media\&token=5c6d078c-8911-49d7-9de1-709cf6cd260b)

Press **Review + save** to review changes and then **Save** to apply.

### Creating App Configuration for Playbook <a href="#creating-app-configuration-for-playbook" id="creating-app-configuration-for-playbook"></a>

To link the Playbook app to your BlueFletch Enterprise organization and deployment group, you must create an app configuration policy in Intune. Go to ***Apps*** blade and select ***App configuration policies***.&#x20;

Click **+ Add** and select "Managed devices".\
Name the policy. Select "Android Enterprise" as the platform and "Fully Managed, Dedicated, and Corporate-Owned Work Profile Only" as the profile type. Select Playbook as the targetted app from the ***Associated app*** pane, and press **OK** and then **Next** to continue.&#x20;

<figure><img src="https://799338798-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSxhNrDkmDAkv7QEWfOIh%2Fuploads%2F9S2iJB36I2ZHB0QSxlMK%2FIntune_appConfig_select.png?alt=media&#x26;token=de2ba76b-27b1-43f3-8c48-47c843328e84" alt=""><figcaption><p>App Configuration Policy</p></figcaption></figure>

On ***Settings*** page, select "Use configuration designer" for the configuration settings format and click **+ Add**.\
Select both available fields, "Organization Id" and "Deployment Group Id," from the side pane.

![App Configuration Settings](https://799338798-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSxhNrDkmDAkv7QEWfOIh%2Fuploads%2FfWNPXu3NcsFOOhIv2yO6%2FIntune_appConfig_formatSettings.png?alt=media\&token=b1a6c850-c261-45f9-bfad-4ea672d056e3)

Leave the value type as String, and edit the configuration values to match your company's BlueFletch Enterprise [Organization](https://docs.bluefletch.com/bluefletch-enterprise/product-guides/portal/admin/organization) Id and [Deployment Group](https://docs.bluefletch.com/bluefletch-enterprise/product-guides/portal/playbook-mdm/deployment-groups) Id.\
Press **Next** to continue to ***Assignments*** page, and click **Add groups** button from under ***Included groups***.\
Select the group(s) that contain all Zebra Android devices (again, same groups as in Step 4 of Getting Started with Intune).\
Press **Next** to review and **Create** to save the policy.

### Checking for Compliance <a href="#checking-for-compliance" id="checking-for-compliance"></a>

An admin can monitor the compliance of the device in Intune and in the BlueFletch Portal.

Intune monitors if a device conforms to its device compliance policies, has successfully installed all apps, and successfully applied device and app configuration profiles.\
To view these statuses, navigate to ***Devices*** > ***Android*** > ***Android devices***. On the device list, each device will have a ***Compliance*** column, which correlates to the state of its device compliance profile.

![Compliance Androids](https://799338798-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSxhNrDkmDAkv7QEWfOIh%2Fuploads%2FCitjjpqRqcvzMHEURveC%2FIntune_compliance_androids.png?alt=media\&token=75f84bf2-2908-4d58-a90d-e4a30735430d)

Click on a device for more details.\
Under ***Monitor***, the blades that track compliance are ***Device compliance***, ***Device configuration***, ***App configuration***, and ***Managed Apps***.\
\&#xNAN;***Device compliance*** displays the compliance policy or policies on that device and their state, which may be "Compliant", "Not Compliant", or "Not Evaluated".\
\&#xNAN;***Device configuration*** displays the configuration(s) that pertain to the device and whether the device successfully implemented them.

![Compliance Device Config](https://799338798-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSxhNrDkmDAkv7QEWfOIh%2Fuploads%2FPGAmAyuw5TcB7MUZsWLR%2FIntune_compliance_deviceConfig.png?alt=media\&token=7f67161f-9c62-47e4-a759-ec9867e49291)

***App configuration*** displays any configuration profiles that have been applied to the device, such as setting the Deployment Group ID and Organization ID for Playbook, as described [above](https://docs.bluefletch.com/bluefletch-enterprise/technical-documentation/deploying-bluefletch-enterprise/mdms/microsoft-intune/microsoft-intune), and whether it was successfully applied to the device.\
\&#xNAN;***Managed Apps*** displays all the Managed Google Play Store apps available for the device to install and the current installation status of each.

![Compliance Managed Apps](https://799338798-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSxhNrDkmDAkv7QEWfOIh%2Fuploads%2FQ2M41CjXKGqwrR4i2JRA%2FIntune_compliance_managedApps.png?alt=media\&token=efb372ec-0e0b-4db1-8b1a-e88ba95871b7)

The BlueFletch Portal monitors if a device has successfully run all the plays in its assigned playbook. An admin can view this in Playbook MDM under the [Devices](https://docs.bluefletch.com/bluefletch-enterprise/product-guides/portal/playbook-mdm/devices) subtab.