Configure beem Device Management – Microsoft Intune
This playbook walks you through connecting beem to Microsoft Intune for beem Device Management, so device compliance status can be enforced at network-access time.
Prerequisites
- The user who creates the application in Microsoft Entra ID must hold the Global Administrator, Application Administrator, or Cloud Application Administrator role.
- The user who creates the beem Device Management profile in Concerto must have the right to create the profile (Enterprise Administrator role).
To create the beem Device Management profile in Concerto, you need the following information from the newly created Entra ID application:
| Field | Value |
|---|---|
| Directory (tenant) ID | Directory (tenant) ID from the Microsoft Entra ID application |
| Application (client) ID | Application (client) ID from the Microsoft Entra ID application |
| Client Secret | Client secret value |
Create the application in Microsoft Entra ID
Sign in to the Microsoft Entra ID portal as a Global Administrator, Application Administrator, or Cloud Application Administrator.
Open Microsoft Entra ID — click the Microsoft Entra ID icon, or enter
Microsoft Entrain the search box and select the Microsoft Entra ID icon.Click App registrations.
Select All applications.
Select New registration.
Enter a name for the application. Leave the other settings unchanged and click Register.
Click Manage.
Select API permissions.
Select Add a permission.
In the Microsoft APIs section, select the Intune application.
Select Application permissions.
In the permissions search box, type
get_device_compliance, select theget_device_compliancepermission, and click Add permissions.Select Add a permission again.
Select Microsoft Graph.
Select Delegated permissions.
In the permissions search box, type
AdministrativeUnit.Read.All, open the container, and select the permission. Add the following permissions the same way if they were not already added when the application was created:Device.ReadDeviceManagementApps.Read.AllDeviceManagementManagedDevices.PrivilegedOperations.AllDeviceManagementManagedDevices.Read.AllemailopenidprofileUser.ReadUser.ReadBasic.All
When all permissions are selected, click Add permissions.
Select Add a permission again.
Select Microsoft Graph.
Select Application permissions.
In the permissions search box, type
DeviceManagementManagedDevices.PrivilegedOperations.All, open the container, and select the permission. AddDeviceManagementManagedDevices.Read.Allthe same way.When all permissions are selected, click Add permissions.
Select Grant admin consent for your tenant.
Click Yes. The required permissions are now configured.
In the menu, select Certificates & secrets.
Click New client secret.
Enter a description in the Description field. In the Expires drop-down list, select the option that suits you or leave the default, then click Add.
Copy the Value of the client secret using the copy icon at the end of the field. You need this value for the configuration in Concerto.
WARNING
Copy the client secret value now — it is no longer visible after you leave the application.
Select Overview in the menu.
Copy the Application (client) ID value and the Directory (tenant) ID value using the copy icon at the end of each line. You need both values for the configuration in Concerto.
Add a beem Device Management profile
Sign in to Concerto with a user who has rights to create an beem Device Management profile (Enterprise Administrator role).
You need the following information to configure the profile:
| Field | Value |
|---|---|
| Name | A name for the profile |
| Description | A description for the profile, e.g. Microsoft Intune MDM profile |
| Tags | One or more tags, if needed |
| Directory (tenant) ID | Directory (tenant) ID from the Microsoft Entra ID application |
| Application (client) ID | Application (client) ID from the Microsoft Entra ID application |
| Client Secret | Client secret value |
| Authentication Domain | login.microsoftonline.com |
| API Domain | graph.microsoft.com |
In the tenant, select Configure, then Partner Integration, then Unified Endpoint Management.
Select Microsoft Intune and click the Get Started button.
Fill out the mandatory fields with the information from the table above.
Click the Save button. The configuration is saved successfully.
Click Publish (top right-hand corner) to publish the configuration to the gateway(s) so it becomes active.
In the Gateway Publish Status window, click the Publish button.
WARNING
Publishing applies not only this configuration but also any pending changes made to other configurations.
Create a policy rule to check the device compliance status
Sign in to Concerto with a user who has rights to create a policy rule.
In the beem tenant, select Configure, then Secure Access, then Client-based Access, then Policy Rules.
Click the Add button.
Complete step 1 (Operating System) and step 2 (Users and Groups). In step 3 (Endpoint Posture), click the Customize button in the Device Compliance Status pane.
Select the Managed Devices option and choose the appropriate status. Once the status is set, click Back or Next.
Complete steps 4, 5, and 6. In step 7 (Client Configuration), click the Customize button in the Client Controls pane.
In the Certificate Issuer field, enter the string
Microsoft Intune MDM Device CA.WARNING
Specifying the Certificate Issuer is essential. If you do not, the secure access client will not send the device ID when connecting to gateways, so the correct policy will not match.
