Enrolling Windows Modern Devices with Azure Active Directory Join

Before you begin

  • You must have an Azure Active Directory (AAD) Premium P1 license. You can check your license status by logging into the Azure portal, then selectingAzure Active Directory > Overview.
  • You must have the following licenses: Azure user license of F3, Office 365 Business Basic, Office 365 Business Premium.

Check the Microsoft 365 Enterprise Licensing Resource for more information.

About this task

This procedure details the steps to configure Azure Active Directory (Azure AD) to enroll Windows Modern devices into on-premises SOTI MobiControl using the Azure Join enrollment method:

  1. Verify Domain in Azure AD
  2. Create and Configure the On-Premises Application in Azure AD
  3. Configure SOTI MobiControl Tenant Configuration, On-Premises App Configuration, and Add Devices Rule
  4. Enroll Windows Modern Devices

Verify Domain in Azure AD

Procedure

  1. From Azure AD, select Custom Domain Names > Add Custom Domain > Enter the Domain.
  2. Copy the following values and provide them to your domain Administrator:
    • Record type
    • Alias or host name
    • Destination or points to address
    • TTL

    Domain information in Azure AD

Create and Configure the On-Premises Application in Azure AD

Procedure

  1. From Azure AD, select Mobility (MDM and MAM), then click Add application and select On-Premises MDM application.
  2. Provide a name for the application and click Add.
  3. If the Microsoft Intune app is present under Azure AD > Mobility (MDM and MAM) you need to disable it so it does not interfere with the SOTI MobiControl On-Premises app you created.
    1. Select the Microsoft Intune app.
    2. Set the MDM user scope to None.
    3. Set the MAM user scope to None.

      Microsoft Intune configuration in Azure AD.

  4. On the Configure screen set the MDM user scope to Some or All. If you select Some, you can specify which user groups to include.
  5. Update the MDM terms of use URL with the DMA of your SOTI MobiControl instance. For example: https://DMA/FederatedEnrollment/TermsOfUse.svc/TermsOfUse
  6. Update the MDM discovery URL with the DMA of your SOTI MobiControl instance. For example: https://DMA/FederatedEnrollment/Discovery.svc
    Note: You can find the DMA address in the SOTI MobiControl Admin Utility's Deployment Server tab.

    DMA configuration in Azure AD.

  7. From Azure AD, select App Registrations, then select the new On-Premises app. Click the Application ID URI in the top right and edit the value with the DMA of the SOTI MobiControl instance.

    Azure AD app registration screen.

    Application ID URI example in Azure AD.

  8. From Azure AD, select API Permissions > Add a permission > Select Microsoft Graph.

    Azure AD Microsoft Graph API selection.

  9. Select Application permissions and add the following permissions:
    • Application permissions > Device > Read all devices
    • Application permissions > Device > Read and write devices
    • Application permissions > Directory > Read directory data
    • Application permissions > Directory > Read and write directory data
    • Application permissions > Group > Read All Groups
    • Application permissions > User > Read all users’ full profiles
  10. Select Delegated permissions and add the following permissions:
    • Delegated permissions > Group > Read all groups
    • Delegated permissions > Group > Read and write all groups

    Azure AD Microsoft Graph delegated permissions selection.

  11. Click Grant admin consent for <Tenant Name>. The status for the permissions should be listed as Granted for <Tenant Name>.

    Permissions listings in Azure AD.

  12. From the current screen, select Manifest.
  13. Ensure that the value for groupMembershipClaims is set to "SecurityGroup".
  14. Ensure that the identifierUris is set to the value you entered in the Application ID URI from the App Registration step.

    Manifest settings within Azure AD.

    Note: If groupMembershipClaims is not set to "SecurityGroup", verify that the Application ID URI is set correctly. If it is set and the groupMembershipClaims value is still not appearing as expected, enter the following and click Save:

    "groupMembershipClaims": "1",

    Reopen the Manifest and the groupMembershipClaims should be set to “SecurityGroup” as expected.

  15. From the current screen select Certificates and Secrets, then click New Client Secret.
  16. Enter a Description for the secret and set an Expiry, then click Add.
  17. Copy the value immediately and save it in another text file for future reference.
    Note: The value will be masked and you will not be able to read it again.

    Client Secret setting in Azure AD.

Configure SOTI MobiControl Tenant Configuration, On-Premises App Configuration, and Add Devices Rule

Procedure

  1. Log into SOTI MobiControl as an Administrator.
  2. Select Global Settings from the main menu.
  3. From the Settings tree on the left, select Services > Directory .
  4. Add an Azure Directory.
  5. In the Azure Directories screen, provide a name for the Azure Connection.
  6. In the Azure Tenant ID table click Add, then perform the following actions:
    1. Enter a Name for the Tenant ID Configuration.
    2. Enter the Azure Tenant Name, and the Azure Tenant ID. You can find these in the Primary domain and Tenant ID fields in the Azure Active Directory Overview in Azure AD (see below).
      Azure Directories screen in MobiControl.Overview screen in Azure AD
    3. Enter the Metadata Endpoint Address. You can find this in Azure AD in Mobility (MDM and MAM). Select the On-Premises application, then navigate to On-premises MDM application settings > Endpoints and refer to the Federation metadata document field.
      Azure AD On-Premises MDM applications settings.Azure AD Enpoints screen.
  7. From the same screen in SOTI MobiControl, click Add in the Application Names table, then perform the following actions:
    1. Enter a Application Name for the application.
    2. Enter the Client ID for the application.You can find this in Azure AD in Mobility (MDM and MAM). Select the On-Premises application, then navigate to On-premises MDM application settings and refer to the Application (client) ID field.
      Azure AD On-Premises MDM application settings.
    3. Enter the Client Secret for the application. You can find this in Azure AD in Mobility (MDM and MAM). Select the On-Premises application, then navigate to On-premises MDM application settings > Certificates and Secrets.
      Azure AD Certificates and Secrets screen.
  8. Click Save to save your Azure configuration.
  9. In SOTI MobiControl, select Policies from the main menu, then select Enrollment > New Enrollment Policy > Windows > Windows Modern tab. Right-click the Add Devices folder and select Create Add Devices Rule.
  10. Enter a Name for the rule, then click Next.
  11. Under Enrollment Options select Based on User Group Membership, click Next.
  12. Under Group Mappings, select your Azure connection in the In: box.
  13. Type the name of the Azure AD group you want to pull members from to be enrolled into SOTI MobiControl into the Search field and click Add.
  14. Map the Azure AD User Group to the SOTI MobiControl Device Group.
    Mapping Azure AD User Groups to MobiControl Device Groups.
  15. Click Next, then click Next in the Authentication tab.
  16. Upload your terms and conditions in the Terms and Conditions tab. Click Next.
  17. In the Device Name tab, you can update the name of your devices. Click Next.
  18. Click Finish to save the Add Devices rule.

Enroll Windows Modern Devices

About this task

At this point, Azure and SOTI MobiControl are configured. Devices are ready to be enrolled into SOTI MobiControl using Azure join.

Procedure

  1. On the Windows 10 device, navigate to Settings > Accounts > Access work or school. Click Connect.
  2. Enter the user Email address and Password.
    The terms and conditions from the add devices rule appears.
  3. Accept the terms and conditions.
    Windows Modern Terms and Conditions screen.

    MobiControl device enrollment message.

    In SOTI MobiControl you will be alerted that a new device has been enrolled. The device is now enrolled into SOTI MobiControl.