Skip to content

Configure beem Device Management – Microsoft Intune

This playbook walks you through connecting beem to Microsoft Intune for beem Device Management, so device compliance status can be enforced at network-access time.

Prerequisites

  • The user who creates the application in Microsoft Entra ID must hold the Global Administrator, Application Administrator, or Cloud Application Administrator role.
  • The user who creates the beem Device Management profile in Concerto must have the right to create the profile (Enterprise Administrator role).

To create the beem Device Management profile in Concerto, you need the following information from the newly created Entra ID application:

FieldValue
Directory (tenant) IDDirectory (tenant) ID from the Microsoft Entra ID application
Application (client) IDApplication (client) ID from the Microsoft Entra ID application
Client SecretClient secret value

Create the application in Microsoft Entra ID

Sign in to the Microsoft Entra ID portal as a Global Administrator, Application Administrator, or Cloud Application Administrator.

  1. Open Microsoft Entra ID — click the Microsoft Entra ID icon, or enter Microsoft Entra in the search box and select the Microsoft Entra ID icon.

  2. Click App registrations.

  3. Select All applications.

  4. Select New registration.

  5. Enter a name for the application. Leave the other settings unchanged and click Register.

  6. Click Manage.

  7. Select API permissions.

  8. Select Add a permission.

  9. In the Microsoft APIs section, select the Intune application.

  10. Select Application permissions.

  11. In the permissions search box, type get_device_compliance, select the get_device_compliance permission, and click Add permissions.

  12. Select Add a permission again.

  13. Select Microsoft Graph.

  14. Select Delegated permissions.

  15. In the permissions search box, type AdministrativeUnit.Read.All, open the container, and select the permission. Add the following permissions the same way if they were not already added when the application was created:

    • Device.Read
    • DeviceManagementApps.Read.All
    • DeviceManagementManagedDevices.PrivilegedOperations.All
    • DeviceManagementManagedDevices.Read.All
    • email
    • openid
    • profile
    • User.Read
    • User.ReadBasic.All
  16. When all permissions are selected, click Add permissions.

  17. Select Add a permission again.

  18. Select Microsoft Graph.

  19. Select Application permissions.

  20. In the permissions search box, type DeviceManagementManagedDevices.PrivilegedOperations.All, open the container, and select the permission. Add DeviceManagementManagedDevices.Read.All the same way.

  21. When all permissions are selected, click Add permissions.

  22. Select Grant admin consent for your tenant.

  23. Click Yes. The required permissions are now configured.

  24. In the menu, select Certificates & secrets.

  25. Click New client secret.

  26. Enter a description in the Description field. In the Expires drop-down list, select the option that suits you or leave the default, then click Add.

  27. Copy the Value of the client secret using the copy icon at the end of the field. You need this value for the configuration in Concerto.

    WARNING

    Copy the client secret value now — it is no longer visible after you leave the application.

  28. Select Overview in the menu.

  29. Copy the Application (client) ID value and the Directory (tenant) ID value using the copy icon at the end of each line. You need both values for the configuration in Concerto.

Add a beem Device Management profile

Sign in to Concerto with a user who has rights to create an beem Device Management profile (Enterprise Administrator role).

You need the following information to configure the profile:

FieldValue
NameA name for the profile
DescriptionA description for the profile, e.g. Microsoft Intune MDM profile
TagsOne or more tags, if needed
Directory (tenant) IDDirectory (tenant) ID from the Microsoft Entra ID application
Application (client) IDApplication (client) ID from the Microsoft Entra ID application
Client SecretClient secret value
Authentication Domainlogin.microsoftonline.com
API Domaingraph.microsoft.com
  1. In the tenant, select Configure, then Partner Integration, then Unified Endpoint Management.

  2. Select Microsoft Intune and click the Get Started button.

  3. Fill out the mandatory fields with the information from the table above.

  4. Click the Save button. The configuration is saved successfully.

  5. Click Publish (top right-hand corner) to publish the configuration to the gateway(s) so it becomes active.

  6. In the Gateway Publish Status window, click the Publish button.

    WARNING

    Publishing applies not only this configuration but also any pending changes made to other configurations.

Create a policy rule to check the device compliance status

Sign in to Concerto with a user who has rights to create a policy rule.

  1. In the beem tenant, select Configure, then Secure Access, then Client-based Access, then Policy Rules.

  2. Click the Add button.

  3. Complete step 1 (Operating System) and step 2 (Users and Groups). In step 3 (Endpoint Posture), click the Customize button in the Device Compliance Status pane.

  4. Select the Managed Devices option and choose the appropriate status. Once the status is set, click Back or Next.

  5. Complete steps 4, 5, and 6. In step 7 (Client Configuration), click the Customize button in the Client Controls pane.

  6. In the Certificate Issuer field, enter the string Microsoft Intune MDM Device CA.

    WARNING

    Specifying the Certificate Issuer is essential. If you do not, the secure access client will not send the device ID when connecting to gateways, so the correct policy will not match.