Imprivata Mobile Access Management has deep integration with Microsoft Intune. The instructions below describe how to set up MAM to use Microsoft Graph APIs. Optionally, you may add an Enrollment Profile for touch-free enrollments of non-DEP devices.
To configure the Imprivata Locker Android app with Intune’s Managed Home Screen, see this article.
API Integration
Microsoft API Integration is recommended for both DEP and non-DEP enrollments. API integration adds additional features to customize your workflows, including device delete, device sync, and clear passcode.
There is a one-time process to allow Mobile Access Management access to your Intune tenant. First, your Azure administrator must create a new App Registration within Azure. Then your MAM administrator will add the Azure OAuth credentials to MAM.
Azure Setup
1. Log into your Azure tenant at portal.azure.com.
2. Search for the service App registrations.
3. Create a new registration.
4. Name the application “GroundControl API Access” or something similar.
5. Choose the most limited account type.
6. Leave the Redirect URI blank.
7. Click OK to create the application.
8. In the vertical navigation bar, select API permissions.
9. Select the Microsoft Graph API.
10. Select Application permissions.
11. Add permissions for:
- DeviceManagementManagedDevices.PriviligedOperation.All
- DeviceManagementManagedDevices.ReadWrite.All
- DeviceManagementConfiguration.Read.All
- DeviceManagementConfiguration.ReadWrite.All
- DeviceManagementServiceConfig.Read.All
- DeviceManagementServiceConfig.ReadWrite.All
- Device.Read.All,
- Device.ReadWrite.All,
- Directory.Read.All,
- Directory.ReadWrite.All
- If your environment utilizes Azure shared iOS devices, add User.Read as a Delegated Permission for authenticating to Microsoft apps. For more information, see Authenticate to Microsoft Apps on iOS devices.
12. Click Add Permissions.
13. Now that you have created the application, you need to grant permissions to it. At the top of the permission list is an action Grant admin consent for <company name>.
14. Consent to allow the application to access your Intune managed devices.
15. In the vertical navigation bar, click Overview.
16. Copy both the Application (client) ID and the Directory (tenant) IDs to a safe place. You will use these in the MAM Admin console.
17. In the vertical navigation bar, click on Clients & Secrets.
18. Click New client secret.
19. Name the new secret with a useful description.
20. Select the expiration for the client secret. You may choose any value, but if it expires you must regenerate a new secret and load it into Mobile Access Management.
21. Add the new secret, copy the value, not the ID, and store it in a safe place. You will the client secret value in the MAM Admin console.
22. You may now close Azure.
Mobile Access Management Setup
1. In the MAM admin console, navigate to Admin > MDMs.
2. To add a new MDM, click Add and select Intune.
3. Type a descriptive name in the MDM Name box. Skip the enrollment profile. Enable API Integration.
4. Enter your Client ID, Client Secret, and Tenant ID.
5. Click Test to see a successful connection.
