This article is contributed. See the original author and article here.
By: Chris Urban | PM- Intune for Education, Ele Ocholi | PM- Intune for Education & Scott Breen | PM- Intune for Education
Hi, it’s Chris Urban (Atlanta, USA), Ele Ocholi (London, UK) and Scott Breen (Brisbane, Australia) from the Intune for Education team. Thanks for joining us on our series of posts about preparing for Back-to-School! Since we’re on a team which works with school districts and institutions around the world, we’d like to share a few frequently asked questions and answers our customers have about device management in an educational setting as well as a few of the lessons learned as we all navigate Back-to-School 2020.
Preparing for a new school year is always a lot of work. For most of you, one of your tasks involves readying devices, whether they be new or existing as well as one-to-one or shared. With COVID-19, this year brings a significant set of new challenges. Some schools will return to in-person classes, others must embrace complete remote learning, and some are combining both approaches. We’ve learnt the best approach to these scenarios is flexibility and having a solution that allows you to pivot as your circumstances change.
We’re all working with customers to support their management and distribution processes of devices. All in order to empower educators and to give students engaging ways to learn.
Our experience with customers pivoting to remote learning has taught us that some of the biggest challenges have been:
- Distributing devices safely and quickly
- Repurposing existing shared devices to distribute to students, shifting to a 1:1 model
- Lack of management when devices are disconnected from school network when using on-premises management
- Password mismatch on domain-joined devices after a password change when logging on with cached credentials
- Insufficient capacity for Virtual Private Network (VPN)
- Windows Activation for Windows 10 devices that rely on an on-premises Key Management Service (KMS)
- Connectivity to on-premises resources (without a VPN)
- Internet access
Your solutions to these problems may vary depending on your situation, but we thought we would start off with the Top 5 things you can do to prepare for device management for remote learning using Intune for Education and Microsoft Endpoint Manager:
1. Get your devices managed
- For new PCs or those moving to Azure Active Directory:
- For existing computers connected to Active Directory or Configuration Manager:
- For devices joined to Active Directory:
- Get your devices hybrid Azure AD joined.
- Enroll in Intune using Group Policy.
- For customers with Configuration Manager:
- Configure co-management so you can use Intune to manage devices while they aren’t connected to the school network, and/or;
- Configure a cloud management gateway so you can continue to approve software update, deploy software and retrieve inventory from devices that are not connected to the school network.
- For iPadOS devices, setup device management for Apple School Manager devices and enroll.
- For devices joined to Active Directory:
2. Re-purpose existing devices
A key scenario we’ve seen is schools repurposing devices previously used as shared devices for use in a 1:1 scenario. If you previously used Set Up School PCs, you might have configured the device for Shared PC mode which prevents the student from performing certain actions like configuring OneDrive or keeping files locally.
For these devices you could choose to:
- Reset the PC and use a new provisioning package that is catered more to 1:1 usage.
- Configure user-driven Autopilot, reset the PC and have the student log on during the Out-of-Box Experience.
- Leave the devices configured as a shared device and distribute to students.
3. Configure settings for the devices
Intune for Education allows a device administrator to manage features on devices and define how your users can work with their devices. These Windows and iOS/iPadOS settings can be assigned to a user and/or a device through the use of Azure Active Directory groups.
- When assigned to users in a group, the settings will follow the user no matter what device they are using.
- When assigned to devices in a group, the settings will apply to the device no matter who signs into the device.
Examples of settings which are common in school districts we’ve worked with include:
- Accounts and sign-in: Configure preferred Azure Active Directory tenant domain – targeting devices using this setting, students no longer need to type in “email@example.com” but type in just “user”. This reduces keystrokes and mistakes, allowing students to log in quickly.
- Apps: for Windows devices, block access to administrative apps – when targeting non-administrator accounts, this will prevent users from running the Command Prompt, PowerShell and Registry Tools.
- Power and sleep: when targeting devices, this configures turning off device display, putting device to sleep, putting device in hibernation as well as blocking users from changing the administrative settings.
Intune for Education is a curated experience of the settings which have been requested from institutions around the world. It has Express configuration which is a quick way to enable the recommended common settings on a device. With that being said, the Microsoft Endpoint Manager admin center has additional built in settings, as well as the ability to create custom settings.
4. Deploy and Manage Apps, Microsoft Office, and Microsoft Edge
As outlined above, apps are deployed via group assignment. If an app is assigned to a user group, the app will not start the evaluation, downloading and installation until after the user logs in, so the app may not be available for a user to interact with immediately Depending on your needs, you may choose to target apps to device groups rather than user groups. Also consider the size of the app as well as potential connectivity the end user may or may not have. This will affect installation times. Another way to speed up deployments is to assign the core items that all users need to the “All devices” group.
Intune for Education supports deploying and managing these types of apps:
- Microsoft Office and Microsoft Edge desktop apps
- Microsoft Store apps
- Web apps
- Windows desktop apps (.msi)
- iOS VPP and Store apps
If you have additional app or platform needs, the Microsoft Endpoint Manager admin center includes Android store apps, managed Google Play apps, macOS, Microsoft Edge, Defender ATP (macOS) as well as Win32 apps (.exe). If there is a need to install apps in a certain order, Intune offers the ability to set up app dependencies.
5. Distribute your devices
With our larger device deployments, some lessons were:
- Deployment times should include disinfecting the device and associated peripherals.
- If possible, your plan should include distributing from multiple sites. This allows for granular contact tracing logs as well as redundancy if one site gets closed due to infection.
- Multiple sites allow for less traffic into a single, physical distribution site.
Looking for more info?
Microsoft has a lot of detailed sets of documentation on the Microsoft Docs page; our goal is to pull together sets of documentation so you have a single jump off point into those various areas.
The first area we would like to introduce on that page is the Microsoft Education area. In the IT Admins area of that microsite, we break down a workflow of steps grouped into phases. Our main focus, initially, will be in Phase 2 – Device Management. (See image below for site navigation.)
As we’ve engaged with customers around the world, it’s driven us to these Top 5 lessons learned.
Additional guidance has been published for M365 EDU deployment during COVID-19 which revolves around remote learning and Microsoft Teams.
If you are new to device management with Microsoft Endpoint Manager and Intune, we won’t be covering the fundamentals here but please start by checking out how to get started with Intune for Education.
Many of you may work with a partner or vendor for handling your IT needs. If your vendor needs to be introduced to Intune for Education and learn more, there’s a great set of intro videos online created by Joe from our team on the Intune Partner channel here.
We’re going to go technically deeper into the topics mentioned in the Top 5 and more so join us for our next post on enrolling Windows devices with provisioning packages and/or Set Up School PCs in the next few days.
Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.