azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
447b90e092e8a9f7de486add7ff1850d33a295d5
claudetools/clients/cascades-tucson/session-logs/2026-04-20-howard-intune-mdm-prereqs-and-enrollment-profile.md
Howard Enos a00f1b0c3e sync: auto-sync from ACG-TECH03L at 2026-04-20 00:02:36 
Author: Howard Enos
Machine: ACG-TECH03L
Timestamp: 2026-04-20 00:02:36
2026-04-20 00:02:38 -07:00

5.5 KiB
Raw Blame History

Cascades Tucson — Intune MDM prereqs + Android enrollment profile

User

  • User: Howard Enos (howard)
  • Machine: ACG-TECH03L
  • Role: tech

Session

  • Date: 2026-04-19 → 2026-04-20 (spanned midnight UTC)
  • Goal: Take Cascades from zero Intune config to ready-to-enroll for 25 Samsung A15 caregiver phones + 9 kitchen iPads

Starting state

Per reports/2026-04-19-intune-mdm-prereq-gap.md the tenant had Intune provisioned but zero configured. MDM authority null, no Apple push cert, Managed Play notBound, no compliance/config/enrollment profiles.

What we did

1. MDM service account (MDMS@cascadestucson.com)

First attempt was mdm@cascadestucson.com. Created the M365 user with Business Premium (one of 34 spare SPB seats, $0 new spend), enrolled Microsoft Authenticator for MFA, then pre-created a consumer Google account at accounts.google.com/signup for the Managed Play binding. Turned out this was wrong — the Managed Play enterprise signup flow rejects any email that already has a consumer Google account, throwing "Email address is associated with an existing consumer account." Dropped the whole mdm@ identity (deleted in M365 and Google) and recreated as MDMS@cascadestucson.com — this time went straight to the Intune "Launch Google" bind flow without pre-creating anything, and Google created the enterprise admin identity cleanly.

  • Account: MDMS@cascadestucson.com, display "MDMS Service Account", standard user (no admin roles), Business Premium
  • MFA: Microsoft Authenticator (Howard's personal device — transition later)
  • Forwarding: ForwardingSmtpAddress: howard@azcomputerguru.com, DeliverToMailboxAndForward=true, set via Exchange REST Set-Mailbox
  • MFA enforcement: already covered by tenant CA policy "Require multifactor authentication for all users" (8 CA policies total on the tenant, pre-existing)
  • Vault: clients/cascades-tucson/mdm-service-account.sops.yaml

2. Managed Google Play enterprise bind

Clicked "Launch Google to connect now" from Intune → Google signup flow created the Managed Play enterprise tied to MDMS@ → redirected back to Intune.

  • Graph verified: bindStatus: boundAndValidated, owner mdms@cascadestucson.com, organization "Cascades of Tucson"
  • Note: Intune auto-created a default "personally-owned work profile" Android enrollment profile during the bind. Harmless — we're using Dedicated mode, not work profile.

3. Apple MDM Push Certificate

Phase A (Intune) → download CSR. Phase B (Apple) → created Apple ID mdms@cascadestucson.com. Phase C → upload CSR to identity.apple.com/pushcert, download .pem. Phase D → upload .pem + Apple ID back to Intune.

  • Cert serial: 16FA0CAED8EEB74F
  • Topic: com.apple.mgmt.External.84214b0c-21cc-4b44-8fd0-e5ad569109ea
  • Expires: 2027-04-20 → renewal task #9 scheduled for 2027-03-20
  • CRITICAL: at renewal time use SAME Apple ID and click "Renew" (not "Create"). Creating a new cert = all enrolled iPads wipe.

4. Wi-Fi credential vaulted

CSCNet WPA2-Personal password (Ftfd85710#) was only in Syncro customer notes. Added to vault: clients/cascades-tucson/wifi-cscnet.sops.yaml. Per-room VLAN assignment is handled at the UniFi controller level — phones on staff areas will land on VLAN 20 (INTERNAL).

5. Android enrollment foundation

  • Entra security group: Cascades - Shared Phones (Assigned membership)
  • Enrollment profile: CSC - Android Shared Phones — Corporate-owned dedicated device (NOT AOSP multi-user)
  • Token: MVDVVDMPSHYJAGDAJOCN, QR code generated, expires 2026-06-22
  • Profile now linked to the Entra group (devices auto-join on enrollment)

Architecture notes for tomorrow

  • Hardware is Samsung Galaxy A15 (consumer) → Android Enterprise Dedicated + Microsoft 365 Shared Device Mode, not AOSP multi-user. Shared sign-in happens at the app layer (Teams/Authenticator/Edge use Entra ID with global sign-out clearing state between caregivers).
  • HIPAA audit trail: per-user identity is real (Entra sign-in into MS apps), not at the OS level. This matches what's acceptable for shared-device caregiver scenarios.
  • iPads are already on a generic Apple ID and physically deployed in the kitchen. Bringing them into Intune is lower priority than phones. ABM + DEM deferred until after phones are live.

What's next (pick up here)

Phase B Android config — walkthrough started, paused at B-1:

  • B-1: Compliance policy CSC - Android Compliance (HIPAA baseline) — min Android 13, numeric-complex 6-digit PIN, 2-min inactivity lock, encryption required, block rooted devices. Walkthrough was written, Howard to execute first thing.
  • B-2: Configuration profile for CSCNet Wi-Fi + dedicated-device restrictions (block factory reset, no USB transfer, no unknown sources)
  • B-3: Required apps from Managed Play — Company Portal, Microsoft Authenticator, Microsoft Edge, Microsoft Teams
  • B-4: ALIS web app/shortcut pointing to https://cascadestucson.alisonline.com/Login
  • B-5: App configuration policy enabling Shared Device Mode on Authenticator + Teams
  • B-6: Test enroll 1 phone via QR code, validate, then roll remaining 24

Estimated total time to finish Phase B + first test enroll: ~60-90 minutes.

Artifacts

  • Prereq gap report: reports/2026-04-19-intune-mdm-prereq-gap.md
  • Vault: clients/cascades-tucson/mdm-service-account.sops.yaml (full MDM identity + credentials)
  • Vault: clients/cascades-tucson/wifi-cscnet.sops.yaml (CSCNet WPA2 password)
  • Graph artifacts: /tmp/remediation-tool/207fa277-e9d8-4eb7-ada1-1064d2221498/ (cached token + query responses)
Reference in New Issue View Git Blame Copy Permalink