MDM Integration: Microsoft Intune

Created: Modified: Documentation

Imprivata GroundControl has deep integration with Microsoft Intune. The instructions below describe how to set up GroundControl to use Microsoft Graph APIs. Optionally, you may add an Enrollment Profile for touch-free enrollments of non-DEP devices.

To configure the GroundControl Locker Android app with Intune’s Managed Home Screen, see this article.

API Integration

Microsoft API Integration is recommended for both DEP and non-DEP enrollments. API integration adds additional features to customize your workflows, including device delete, device sync, and clear passcode.

There is a one-time process to allow GroundControl access to your Intune tenant. First, your Azure administrator must create a new App Registration within Azure. Then your GroundControl administrator will add the Azure OAuth credentials to GroundControl.

Azure Setup

1. Log into your Azure tenant at

2. Search for the service App registrations.

3. Create a new registration.

4. Name the application “GroundControl API Access” or something similar.

5. Choose the most limited account type.

6. Leave the Redirect URI blank.

7. Click OK to create the application.

8. In the vertical navigation bar, select API permissions.

9. Select the Microsoft Graph API.

10. Select Application permissions.

11. Add permissions for:

  • DeviceManagementManagedDevices.PriviligedOperation.All
  • DeviceManagementManagedDevices.ReadWrite.All
  • DeviceManagementConfiguration.Read.All
  • DeviceManagementConfiguration.ReadWrite.All
  • DeviceManagementServiceConfig.Read.All
  • DeviceManagementServiceConfig.ReadWrite.All
  • Device.Read.All,
  • Device.ReadWrite.All,
  • Directory.Read.All,
  • Directory.ReadWrite.All
  • If your environment utilizes Azure shared iOS devices, add User.Read as a Delegated Permission for authenticating to Microsoft apps. For more information, see Authenticate to Microsoft Apps on iOS devices with GroundControl.


12. Click Add Permissions.

13. Now that you have created the application, you need to grant permissions to it. At the top of the permission list is an action Grant admin consent for <company name>.

14. Consent to allow the application to access your Intune managed devices.

15. In the vertical navigation bar, click Overview.

16. Copy both the Application (client) ID and the Directory (tenant) IDs to a safe place. You will use these in the GroundControl Admin console.

17. In the vertical navigation bar, click on Clients & Secrets.

18. Click New client secret.

19. Name the new secret with a useful description.

20. Select the expiration for the client secret. You may choose any value, but if it expires you must regenerate a new secret and load it into GroundControl.

21. Add the new secret, copy the value, not the ID, and store it in a safe place. You will the client secret value in the GroundControl Admin console.

22. You may now close Azure.

GroundControl Setup

1. In GroundControl’s admin console, navigate to Admin > MDMs.

2. To add a new MDM, click Add and select Intune.

3. Type a descriptive name in the MDM Name box. Skip the enrollment profile. Enable API Integration.

4. Enter your Client ID, Client Secret, and Tenant ID.

5. Click Test to see a successful connection.