6.1 KiB
6.1 KiB
Cascades Tucson — Intune / MDM Prerequisites Gap Check
- Date: 2026-04-19 (UTC)
- Tenant:
cascadestucson.com(207fa277-e9d8-4eb7-ada1-1064d2221498) - Intune account ID:
15b6c28c-47fa-40b0-a6af-b9e03ab959c3 - Method: Read-only Graph API via Claude-MSP-Access app (no changes made)
- Goal: establish what's configured vs. what needs setup before enrolling 25 shared Android phones (AESDM) + 9 kitchen iPads (Intune DEM)
Findings
| # | Prereq | Status | Notes |
|---|---|---|---|
| 1 | MDM authority = Intune | Not set (null) |
intuneAccountId is populated so Intune is provisioned. Just the authority flag hasn't been toggled. One-click in the admin center. One-time irreversible choice. |
| 2 | Apple MDM push certificate | Not configured (ResourceNotFound) |
Blocks ALL iPad/iOS management. Must generate at identity.apple.com/pushcert and upload. Annual renewal. |
| 3 | Apple Business Manager / DEP token | 0 tokens | Optional for 9 iPads — manual enrollment works without it, but lose management on factory reset. Recommended. |
| 3b | Apple VPP token | 0 tokens | Not required unless paid iPad apps need to be pushed. Skip for kitchen POS scenario. |
| 4 | Managed Google Play enterprise | bindStatus: notBound / enrollmentTarget: none |
Blocks ALL Android Enterprise management (AESDM, dedicated, work profile). One-click bind in the admin center, sign in with a Cascades Google account. |
Existing Intune objects
| Object | Count | Notes |
|---|---|---|
| Compliance policies | 0 | Clean slate |
| Device configuration profiles | 0 | Clean slate |
| Enrollment configurations | 5 | All are Microsoft built-in defaults (device limit, platform restrictions, WHfB, Windows 10 ESP, Windows Restore). None custom. |
| Android Device Owner enrollment profiles | 0 | None (need for AESDM / dedicated device mode) |
| Managed devices | 0 | None enrolled |
Gap list — what Howard needs to do before enrolling devices
Must-do (blocking)
-
Set MDM authority to Intune. Admin center → Tenant administration → Mobile Device Management authority → pick Microsoft Intune. Takes 5 seconds. Cannot be undone. Is a hard prerequisite for every step below.
-
Upload Apple MDM push certificate. Required for any iPad management. Process:
- Intune admin center → Devices → iOS/iPadOS → Enrollment → Apple MDM Push Certificate
- Download CSR from Intune
- Upload CSR at
identity.apple.com/pushcertusing a dedicated Apple ID (recommendmdm-push@cascadestucson.comso turnover doesn't break it — not Meredith's personal, not kitchenipads@) - Download the
.pemcert from Apple, upload back into Intune - Annual renewal on the same Apple ID — if the Apple ID is lost, ALL enrolled iPads must be wiped and re-enrolled
-
Bind Managed Google Play account. Required for AESDM and any Android Enterprise policies.
- Intune admin center → Devices → Android → Android Enterprise → Managed Google Play
- Click Launch Google → sign in with a dedicated Google account (recommend
managedplay@cascadestucson.com, NOT a personal Google account) - Accept terms, link → bindStatus becomes
bound
Should-do (strong recommendation)
- Create Apple Business Manager account and link to Intune.
- Sign up at
business.apple.com(free, takes ~15 min + an Apple ID verification phone call for the D-U-N-S number) - Create an MDM server entry in ABM named "Intune — Cascades"
- Download ABM token, upload to Intune at Enrollment → Apple → Enrollment program tokens
- For existing iPads: add their serial numbers to ABM manually (one-time)
- For future iPads: buy them through Apple or an ABM-linked reseller and they auto-appear
- Sign up at
Not needed for current scope
- Apple VPP token — only needed if pushing paid apps. Kitchen POS app is probably free or sideloaded.
- Windows Autopilot — 89 Entra-registered Windows PCs exist, but Windows management is out of scope for this pass.
Dependencies (do in this order)
Step 1 (MDM authority)
│
├── Step 3 (Google Play bind) ──► can enroll Android phones
│
├── Step 2 (Apple push cert) ──► can manually enroll iPads
│ │
│ └── Step 4 (ABM + token) ──► iPads auto-enroll + survive reset
Steps 1 and 3 together unlock the 25 Android phones. Steps 1 + 2 together unlock the 9 iPads (with ABM as the recommended polish).
Policy scaffold (to be built after prereqs)
For the Android phones (AESDM):
- Enrollment profile: Android Enterprise Corporate-owned, dedicated device, mode = AOSP multi-user (this is AESDM) — generates a token/QR code for device enrollment
- Compliance policy: encryption on, screen lock 4+ digits, 2-min timeout, no developer options, no debugging, Android 11+
- Configuration profile: Wi-Fi (CSCNet), restrictions (no factory reset, no USB transfer, no unknown sources)
- Apps: Company Portal (system), Authenticator, Edge, ALIS (as web app), Teams — required, auto-install
For the kitchen iPads (Intune DEM):
- Create
dem-ipads@cascadestucson.comuser with Business Premium license assigned, mark as Device Enrollment Manager - Enrollment profile: iOS/iPadOS, device-without-user-affinity, kiosk mode
- Compliance policy: passcode required, encryption on, no jailbreak
- Configuration profile: Wi-Fi (CSCNet VLAN 20), Single App Mode locked to the kitchen POS app, disable App Store, disable Settings
- Apps: kitchen POS app (required)
Data sources
Raw Graph responses cached at /tmp/remediation-tool/207fa277-e9d8-4eb7-ada1-1064d2221498/intune-prereqs/:
org.json— organization object (MDM authority field)devicemgmt-beta.json— deviceManagement rootapple-push.json— Apple push certdep.json— DEP tokensvpp.json— VPP tokensgplay.json— Managed Google Play bindingcompliance.json,configs.json,enrollment.json— existing policiesandroid-doe.json— Android Device Owner enrollment profilesmanaged-devices.json— enrolled device inventory