Logging, Reporting and Managing Devices

Introduction

During this lab, you will learn how to run an Inventory, Retire, Wipe, run PowerBI reports and use
Graph API.

Estimated Time

45 minutes

Objectives

After completing this lab, you will be able to:

• Retrieve inventory details of managed devices.

• Perform the Remote Lock activity on Intune managed devices.
• Perform Passcode Reset on Intune managed devices.
• Perform a Selective Wipe on Intune managed devices.
• Perform a Full Wipe on Intune managed devices.
• Run a PowerBI report with Intune data.
• Query Intune data using Graph Explorer.

Logon Information

Use the following credentials to sign into the Lab on Demand Virtual environment on MMWS_Host

• Username: Admin
• Password: Intune123!!
Table of Contents
Lab1: Reviewing Inventory Data Collected via Intune ........................................................................................ 3
Exercise 1: Viewing Inventory Details of a device (e.g. iOS) ........................................................................ 3
Exercise 2: Intune Data Warehouse ....................................................................................................................... 6
Lab2: Passcode Reset ...................................................................................................................................................... 10
Exercise 1: Passcode reset for iOS Device.......................................................................................................... 10
Lab3: Remote Lock ........................................................................................................................................................... 11
Exercise 1: Remote Lock a device ......................................................................................................................... 11
Lab4: Selective-Full Retire/Wipe ............................................................................................................................... 12
Exercise 1: Retire a Windows 10 device ............................................................................................................ 12
Exercise 2: Retire an Android Enterprise device ............................................................................................ 13
Exercise 3: Retire an iOS device ............................................................................................................................. 14
Exercise 4: Retirement of an Android device administrator ..................................................................... 15
Exercise 5: Wipe an Android device administrator ....................................................................................... 16
Exercise 6: Configure automatic cleanup rules for devices ........................................................................ 17
Lab5: INTUNE, GRAPH and GRAPH EXPLORER ................................................................................................... 19
Exercise 1: Using Graph Explorer to retrieve data from your tenant .................................................... 19
Exercise 2: Use Graph Explorer to create, modify and delete a device category for a managed
device from the Intune portal ................................................................................................................................. 25
Lab1: Reviewing Inventory Data Collected via Intune
During this lab, you will learn how to view hardware inventory and compliance of devices.

Exercise 1: Viewing Inventory Details of a device (e.g. iOS)

This exercise shows how to view hardware inventory data for mobile devices.

Tasks
1. Retrieve Inventory data
Go to https://devicemanagement.microsoft.com/
Select Devices.

2. On Devices – All devices and select All Devices

3. Then select any iOS device enrolled into Intune.

4. On the <Device Name> Page, select Hardware under the Monitor section.

5. Review the hardware inventory data collected for the associated device.

This is the expected output.

 Repeat steps above for all other device to review the inventory data collected from
other mobile device platforms
Exercise 1 has been completed.
Exercise 2: Intune Data Warehouse
This exercise shows how to Publish Power BI Intune Dashboards.

Tasks
1. Integrate Power BI with Intune
Navigate to the Dashboard and select the Setup Intune Data Warehouse.

Select the button for Get Power BI App under the section Use Microsoft Power BI Online.

Select GET IT NOW.

Click the CONTINUE button.

Sign-in with your O365 account.

Select Install.

When ready select the Go to app button.

(or select the Intune Compliance tile.)

Choose Connect.

Click the Sign-in button and sign in with your administrative account.

Select Reports and then select Compliance V1.0.

Review the information from all the different tabs at the bottom.
Exercise 2 has been completed.
Lab2: Passcode Reset
Exercise 1: Passcode reset for iOS Device
This exercise shows how to perform a Passcode reset for Intune managed devices.

Tasks
1. Reset passcode.
Open the Intune Portal https://devicemanagement.microsoft.com and select Devices →
All Devices, then select an iOS device from the list
On <Device Name> - Page, click on the Overview section.

On Overview page, click on …More ellipsis and select Remove passcode.

Note: For iOS it removes the existing passcode and does not create a temporary
passcode. If you are using the Touch ID fingerprint scanner for opening your device
or making purchases, you need to set it up again.

You will be prompted with a popup message Yes or No to initiate the Remove
passcode action, select Yes.

After a couple of minutes, look at the Intune portal, to see the updated status of the
device Passcode reset showing as completed.
On the iOS device, the following notification should appear: You must set an iOS
Unlock passcode within 60 minutes.

Select Continue to follow the instructions on the device to set a new passcode.
Exercise 1 has been completed.
Lab3: Remote Lock
Exercise 1: Remote Lock a device
This exercise shows how to perform Remote lock.

Tasks
1. Perform Remote Lock on the Android device.
Open the Intune Portal https://devicemanagement.microsoft.com and select Devices
→ All Devices, then select an Android device from the list.
On <Device Name> - Overview Page, select the Overview section.
On the Overview page, select Remote lock

When prompted with the popup message for Remote lock, choose Yes.

After a couple of minutes, the Portal updates the status of the device Remote lock to
succeeded on the device.

The process is identical on iOS and macOS.

See: https://docs.microsoft.com/en-us/intune-user-help/remote-lock-your-device-
cp website and it is not available for Windows 10 devices.

Exercise 1 has been completed.

Lab4: Selective-Full Retire/Wipe
Exercise 1: Retire a Windows 10 device
This exercise shows how to perform a Selective/Full Wipe on Intune managed devices.

Tasks
1. Perform a Retire on Windows 10 device
Open the Intune Portal https://devicemanagement.microsoft.com and select Devices
→ All Devices, then select a Windows device from the list.
On the <Device Name> - Overview Page, select the Overview section.
On the Overview page, choose Retire to initiate selective wipe activity.

You will be prompted to remove company data, select Yes for the popup message:

Wait a few minutes, then connect to the Windows 10 device.

Notice that your Line-Of-Business apps were removed from the device.
After some time, the device will be deleted from the Intune → Device → All devices
view.
Exercise 1 has been completed
Exercise 2: Retire an Android Enterprise device
This exercise shows how to perform a Selective Wipe on Intune managed devices.

Tasks
1. Perform a Selective Wipe on an Android Enterprise device.
Open the Intune Portal https://devicemanagement.microsoft.com and select Devices
→ All Devices, then choose an Android for work device from the list.
On the <Device Name> - Overview Page, select the Overview section.
On the Overview page, choose Retire to initiate selective wipe activity.

Note: The Wipe option is not available for Android Enterprise enrolled devices.

When prompted to remove company data, select Yes for the popup message.
Wait a few moments, then on the Android Enterprise enrolled device scroll down to
read the notification that says that the Work profile has been deleted.

Exercise 2 has been completed.

Exercise 3: Retire an iOS device
This exercise shows how to perform a Selective Wipe on Intune managed devices.

Tasks
1. Perform Selective Wipe on Android Enterprise
Open the Intune Portal https://devicemanagement.microsoft.com and select Devices
→ All Devices, then select an iOS device from the list.
On the <Device Name> - Overview Page, select the Overview section.
On the Overview page, select Retire to initiate selective wipe activity.
When prompted to remove company data, choose Yes for the popup message.

After a few minutes, if the device is turned on, it receives the selective wipe within a
few minutes. As soon as you launch the Company Portal app, you should see a
notification popup indicating Device Unenrolled

Most of the settings applied are removed from the device. You can review the
following URL to see what has been removed by the selective wipe:
https://docs.microsoft.com/en-us/sccm/mdm/deploy-use/wipe-lock-reset-devices

After some time, the device is deleted from the Portal

Exercise 3 has been completed.
Exercise 4: Retirement of an Android device administrator
This exercise shows how to perform a Selective Wipe on Intune managed devices.

Tasks
1. Perform Retirement of an Android device.
Open the Intune Portal https://devicemanagement.microsoft.com and select Devices
→ All Devices, then select an Android device from the list.
On the <Device Name> - Overview Page, select the Overview section.
On the Overview page, select Retire to initiate selective wipe activity.

You will be prompted to remove company data, click Yes on the popup message:

After a few moments open the Company Portal and you will see this pop-up.
Notice that your Line-Of-Business apps are removed from the device.
After some time, the device es deleted from Intune → Device →All devices view.
Most of the settings applied will be removed from the device.

You can review the following URL to see what is removed in a selective wipe:
https://docs.microsoft.com/en-us/intune/devices-wipe

After some time, the device is deleted from the Portal.

On the Android device when the process is completed you will also receive a
notification like this one:

Exercise 4 has been completed.

Exercise 5: Wipe an Android device administrator
This exercise shows how to perform a Wipe on Intune managed devices.

Tasks
1. Wipe an Android device.
Open the Intune Portal https://devicemanagement.microsoft.com and select Devices
→ All Devices, then select an Android device from the list.
On the <Device Name> - Overview Page, select the Overview section.
On the Overview page, select Wipe to initiate selective wipe activity.

When prompted to factory reset the device, choose Yes for the popup message:

When the Wipe process starts, the device will restart and you will see the erasing
process bringing the device to its factory settings.
Exercise 5 has been completed.
Exercise 6: Configure automatic cleanup rules for devices
This exercise shows how to configure cleanup rules for an Intune managed device.

Tasks
1. Configure automatic cleanup rules
Open the Intune Portal https://devicemanagement.microsoft.com and select Devices
→ (Other), then select Device clean-up rules:

When prompted to Delete devices based on last check-in date select Yes.
For Delete devices that haven't checked in for this many days, enter 90.

Choose Save – Device cleanup rules and then select Yes to enable the cleanup rule.
Exercise 6 has been completed.
Lab5: INTUNE, GRAPH and GRAPH EXPLORER
Exercise 1: Using Graph Explorer to retrieve data from your
tenant
This exercise shows how to see your managed devices using Graph explorer and compare with
what is in the Intune portal.

Tasks
1. See your managed devices from Intune portal by Using Microsoft Graph Explorer.
Open Graph Explorer from https://developer.microsoft.com/en-us/graph/graph-
explorer#

Select Sign in with Microsoft using your global administrator account.

Mark the check box and Accept when the Permission request pops up.

Once signed in you will notice an access token on the left side of the window. Any call
made against Microsoft Graph requires an access token which can only be issued by Azure
Active Directory, thus having a tenant is mandatory.

If you click on modify permissions, you will notice that some of them are already
marked. Microsoft Graph exposes granular permissions that control the access that
apps have to resources, like users, groups, and device management (with Intune). For
your application to be able to access Intune data, depending on its purpose, some or
all of these permissions needs to be granted.

In order to identify what the Graph Command is to run on graph Explorer to

retrieve your managed devices from Intune, you can either search the command in
the Microsoft docs: https://docs.microsoft.com/en-
us/graph/api/resources/intune-devices-manageddevice?view=graph-rest-1.0 or in
case you do not know which API you need to use, you can go into the Intune portal,
press F12 to open Developer mode using an Edge browser. Then by going to
Network, and selecting all devices, you will notice a GET command for the
manageddevices.

Look for Request URL: under Headers

Below is an example of the Intune portal when retrieving the HTTP command for
the managed devices:
Copy copied the Request URL from there, go to Graph Explorer and paste the URL at the
top and click Run Query. In the response preview you will see all the details of the
managed devices you have in your Intune portal.

If this is the first time, you are running the request you may get a Permission denied error
Select modify your permission and select DeviceManagementManageDevices.ReadAll

Click Modify Permission

And log back in to Graph Explorer, then Click Accept at the pop-up
 Security is particularly important!

When the permission is set correctly this is the expected output:

Exercise 1 has been completed.

Exercise 2: Use Graph Explorer to create, modify and delete a
device category for a managed device from the Intune portal
This exercise shows how to create, update, and delete a device category of a managed device using
Graph explorer and compare it with what is in the Intune portal.

Tasks
1. Create a device category of a managed device from the Intune portal by Using
Microsoft Graph Explorer.
In order to create a device category, first check if there are any existing device
categories. Navigate to Devices → Device Categories.

Mark the box for Create device category, give it a name (for example: test) and click the
Create button.
Using the F12, debugger mode, copy the Request URL that shows the category list.
https://graph.microsoft.com/beta/deviceManagement/deviceCategories and paste
it into the Graph Explorer.

Now that we have listed the available device categories, we will start creating two
device categories using Graph Explorer.

To create device categories you will need to use the command from doc:
https://docs.microsoft.com/en-us/graph/api/intune-shared-devicecategory-
create?view=graph-rest-1.0

Copy the URL below and paste it into Graph Explorer and change the command to
POST instead of GET using the drop-down arrow.
POST https://graph.microsoft.com/v1.0/deviceManagement/deviceCategories
Paste the data below into the Request Body.
{
"@odata.type": "#microsoft.graph.deviceCategory",
"displayName": "Company 1",
"description": "My Company Name"
}

You will gen another permission error if you are doing this for the first time.

If the message says “Application is not authorized to perform this operation.”

Application must have one of the following scopes:
DeviceManagementManagedDevices.ReadWrite.All”
Click on modify your permission and grant yourself
DeviceManagementManagedDevices.ReadWrite.All permission and repeat the
exercise.
 This is the expected output.

2. Update a device category of a managed device from Intune portal by Using Microsoft
Graph Explorer.
In this task we will update the device category we created earlier on called “Company
1” using Graph Explorer. Therefore, in order to perform this test, we will first identify
what is the API command that we need to update.

https://docs.microsoft.com/en-us/graph/api/intune-shared-devicecategory-
update?view=graph-rest-1.0

Retrieve the device category ID from a device you want to change category for using
GET https://graph.microsoft.com/v1.0/deviceManagement/deviceCategories

Copy the URL below and paste it into Graph explorer changing the command to
PATCH instead of GET.
 PATCH
https://graph.microsoft.com/v1.0/deviceManagement/deviceCategories/{deviceCate
goryId}
Where the deviceCategoryId is taken from the GET Query.

Paste the data below into the Request Body:

{
"displayName": "Company 2",
"description": "Test value CHANGED"
}

and this is the expected output:

You can go to the Intune portal to confirm that the category has changed.

3. Delete a device category for a managed device from the Intune portal by Using
Microsoft Graph Explorer.
To delete the device category, we will use the command as per doc:
https://docs.microsoft.com/en-us/graph/api/intune-shared-devicecategory-
delete?view=graph-rest-1.0
Copy the URL below and paste it into Graph explorer changing the command to PATCH
instead of GET.
 DELETE
https://graph.microsoft.com/v1.0/deviceManagement/deviceCategories/{deviceCate
goryId}
Copy the ID of the category you want to delete and paste it into the graph command
and run query.

Go to the Intune portal to confirm the category has been removed.

Exercise 2 has been completed.