MDM Integration: Microsoft Endpoint Manager / Intune

Created: Modified: Documentation

Imprivata GroundControl has deep integration with Microsoft Endpoint Manager, also known as Intune. The instructions below describe how to set up GroundControl to use Microsoft Graph APIs. Optionally, you may add an Enrollment Profile for touch-free enrollments of non-DEP devices.

API Integration

Microsoft API Integration is recommended for both DEP and non-DEP enrollments. API integration adds additional features to customize your workflows, including device delete, device sync, and clear passcode.

There is a one-time process to allow GroundControl access to your Intune tenant. First, your Azure administrator must create a new App Registration within Azure. Then your GroundControl administrator will add the Azure OAuth credentials to GroundControl.

Azure Setup

1. Log into your Azure tenant at

2. Search for the service App registrations.

3. Create a new registration.

4. Name the application “GroundControl API Access” or something similar.

5. Choose the most limited account type.

6. Leave the Redirect URI blank.

7. Click OK to create the application.

8. In the vertical navigation bar, select API permissions.

9. Select the Microsoft Graph API.

10. Select Application permissions.

11. Add permissions for:

  • DeviceManagementManagedDevices.PriviligedOperation.All
  • DeviceManagementManagedDevices.ReadWrite.All
  • DeviceManagementConfiguration.Read.All
  • DeviceManagementConfiguration.ReadWrite.All
  • Device.Read.All,
  • Device.ReadWrite.All,
  • Directory.Read.All,
  • Directory.ReadWrite.All

12. Click Add Permissions.

13. Now that you have created the application, you need to grant permissions to it. At the top of the permission list is an action Grant admin consent for <company name>.

14. Consent to allow the application to access your Intune managed devices.

15. In the vertical navigation bar, click Overview.

16. Copy both the Application (client) ID and the Directory (tenant) IDs to a safe place. You will use these in the GroundControl Admin console.

17. In the vertical navigation bar, click on Clients & Secrets.

18. Click New client secret.

19. Name the new secret with a useful description.

20. Select the expiration for the client secret. You may choose any value, but if it expires you must regenerate a new secret and load it into GroundControl.

21. Add the new secret, copy the value, not the ID, and store it in a safe place. You will the client secret value in the GroundControl Admin console.

22. You may now close Azure.

GroundControl Setup

1. In GroundControl’s admin console, navigate to Admin > MDMs.

2. To add a new MDM, click Add and select Intune.

3. Type a descriptive name in the MDM Name box. Skip the enrollment profile. Enable API Integration.

4. Enter your Client ID, Client Secret, and Tenant ID.

5. Click Test to see a successful connection.