This document lists common terminology and definitions in association with Microsoft cloud-based device management.
|Autopilot Deployment||-Autopilot Enrollment
|A cloud-directed process which brings a device to the right initial configuration. There are four types: user-driven, self-deploying, white glove, and reset. Autopilot deployment is dependent on AAD join and Intune enrollment.|
|Autopilot Profile||-Autopilot device profile
|A profile of settings that needs to be applied to assigned devices.|
|Autopilot Registration||Autopilot registration allows a device to be uniquely identified by Microsoft’s Autopilot deployment service as belonging to a given organization. There are two types of autopilot registration: vendor-based and organization-based.
Vendor-based is considered more authoritative and some Autopilot activities are only allowed to vendor-based registration. Vendor-based registration requires prior setup with the vendor, and at the time of the order, the customer can provide specific information that results in a specific AutoPilot image within our Intune tenant.
|Autopilot Reset||An autopilot action which takes the device back to a business-ready state, removing personal files, apps, and settings and reapplying a device’s original settings, maintaining its identity connection to Azure AD and its management connection to Intune. Local reset can be initiated by a user in the Intune Service Administrator role. Remote reset can be triggered only for devices which were not self-deploying.|
|Azure Active Directory||-Azure AD
|A cloud-based identity product from Microsoft. Similar to Active Directory but with many differences.|
|Azure AD Device Delete||Deletes the Azure AD device object.
Unclear what happens to Intune device record. See https://docs.microsoft.com/en-us/mem/Intune/remote-actions/devices-wipe#delete-devices-from-the-azure-active-directory-portal for Microsoft documentation.
|Azure AD Device Join||-AAD Join
-Azure AD Join (AADJ)
-Cloud Device Join (CDJ)
|A device is said to be Azure AD joined when it has registered with Azure AD AND primary sign in to that device requires an Azure AD user account. An Azure AD joined device can also have limited device management benefits, especially if a Mobile Device Management (MDM) provider is associated with the Azure AD tenant. The UW has Intune as its MDM provider, but device management capabilities are extremely limited at this time. There are a few other device management capabilities outside Intune, for example Bitllocker key recovery and Enterprise State Roaming.|
|Azure AD Device Registration||-AAD Register
-Azure AD Register
-AAD Workplace Join (WPJ)
|A device which is Azure AD registered has an association with Azure AD that allows sign in to Azure AD applications, but primary sign in on the device is not through Azure AD. The registration experience includes issuance of a certificate that can be used to provide information security; data from those applications can be protected and access to any downloaded data can be lost if the device loses its Azure AD registration.|
|Azure AD Hybrid Join||-Hybrid Join
|A device is said to be hybrid joined if it has both an AD object and an AAD object, which allow users of that device to sign in with an AD user account, which provides access to resources which are protected by either the AD or the AAD user.
A hybrid joined computer is joined to both AD and AAD, but the AD join is primary because the device initially uses AD authentication. Only Windows devices can be hybrid joined.
|Client Attach||This is a fancy term for co-management, usually used in conjunction with tenant attach or cloud attach. A device which is client attached is managed by ConfigMgr but also visible in the MEM portal. A client attached device gains the following benefits: conditional access, autopilot, MEM portal visibility.|
|Cloud Attach||A device which is cloud attached is managed by ConfigMgr but also visible in the MEM portal. The device can be cloud attached via either tenant attach or client attach. Typically, the device is primarily managed via ConfigMgr.|
|Cloud Management Gateway||-CMG||Enables MECM to manage devices over the internet|
|Co-existence||Devices are managed by ConfigMgr and another MDM product which is not Intune.|
|Co-Management||-Co-Managed||Devices are fully managed by both ConfigMgr and Intune with explicit admin intent on which workload is managed by either ConfigMgr or Intune.|
|Company Portal||-Intune Company Portal
|A cloud-based service provided by Microsoft whose content is managed by an organization. The company portal provides a user interface to access apps, device data, and resources that the organization publishes. https://go.microsoft.com/fwlink/?linkid=2010980 is a generic link to the company portal. See https://docs.microsoft.com/en-us/mem/intune/user-help/using-the-intune-company-portal-website for more info.|
|Corporate device||Typically this is a device which is owned by the university, however, the Microsoft products use the following methods to determine whether it is a corporate device:
|Desktop Analytics||-DA||A cloud-based service which provides insight and intelligence into your Windows clients. See https://docs.microsoft.com/en-us/mem/configmgr/desktop-analytics/overview for more info.|
|Device Firmware Configuration Interface||-DFCI||A (new) feature of UEFI that enables secure, programattic configuration of BIOS hardware settings.|
|Dynamic Group||A type of Azure AD group which does not have a static membership. Membership is computed on a recurring basis, based on a set of defined rules. A given dynamic group can only allow all users or all devices; no mixed membership.|
|Group Policy||-GP||A hybrid joined device may have group policy. Group policy is a set of settings derived from AD. Settings from Intune profiles and policy settings may conflict with group policy settings–there is a set of complex rules which determines which wins.|
|Group Policy Object||-GPO||A single, specific group policy|
|Group Policy Preferences||-GPP||A feature of group policy which has more flexibility than most group policy settings|
|Hardware ID||-hardware hash||The hardware ID, also commonly referred to as a hardware hash, contains several details about the device, including its manufacturer, model, device serial number, hard drive serial number, and many other attributes that can be used to uniquely identify that device.
Intune and Autopilot use this to uniquely identify a device. Unfortunately, Azure AD doesn’t use it to disambiguate AAD registrations from AAD joins.
|Intune Assignment||An Intune assignment is made when an Intune profile is assigned to a user or a device. The Intune profile may have a variety of settings. A user assignment follows the user across all Intune enrolled devices. A device assignment applies to all users of that device.|
|Intune Profile||-Intune Configuration Profile
-Device Configuration Profile
|An Intune Profile is a set of settings. An Intune Profile is similar to a group policy object. A profile can be assigned to users or devices.|
|Intune Device Category||An Intune property that can be assigned to each enrolled device. Valid values are defined by the MDM operator. Device category is one of the only useful properties that can be used in the rules for a device dynamic group.|
|Intune Device Delete||Intune Device action which removes all org data from the device and removes the device from Intune. The device immediately is removed from Intune; when the device checks in next it will receive this command to remove org data.|
|Intune Device Fresh Start||Intune Device action which removes any apps that are installed on a PC running Windows 10, version 1703 or later. Fresh Start helps remove pre-installed (OEM) apps that are typically installed with a new PC. If ‘retain user data on this device’ is checked, AAD join and Intune enrollment are kept, and the device user’s Home folder are kept, but apps and settings are removed.|
|Intune Device MacOS Erase||Intune Device action which erases all data from a macOS device, including the operating system. The device will also be removed from Intune management. No warning will be given to the end user.|
|Intune Device Retire||Intune Device action which removes all org data from the device and removes the device from Intune. The device remains in Intune until the device checks in and receives this action.|
|Intune Device Wipe||Intune Device action which restores the device to factory default settings. If ‘retain enrollment state and user account’ is checked, user data is kept and enrollment maintained.|
|Intune Policy set||An Intune Policy is more than just a set of settings; it’s a statement of requirement often related to compliance. Intune compliance policy settings override Intune profile settings.|
|Intune Scope||The combination of an Intune scope tag and scope group. Intune scope is poorly explained in Microsoft documentation; see https://docs.microsoft.com/en-us/mem/intune/fundamentals/scope-tags for the best existing info.|
|Intune Scope Group||An Azure AD group of devices, users, or both, by which an Intune scope tag is conditionally assigned to an Intune role. Scope groups are poorly explained in Microsoft documentation; see https://docs.microsoft.com/en-us/mem/intune/fundamentals/scope-tags for the best existing info.|
|Intune Scope Tag||An Intune property that can be assigned to each enrolled device or any other Intune object. Valid values are defined by the MDM operator. Scope tags are used to limit the scope of permissions. If you have Intune permissions and a scope tag on your account, those permissions are limited to objects with a matching scope tag.|
|MDM Enrollment||-Device Enrollment
|A device is said to be MDM enrolled when it is managed by a MDM product like Intune.
Any AAD registered device can be Intune enrolled, but not all AAD registered devices are Intune enrolled; it takes more than just AAD registration to become Intune enrolled but AAD registration is a minimum requirement.
An Azure AD tenant can be configured for automatic MDM enrollment, so that all AAD device joins are MDM enrolled. This is similar to Autopilot, but with fewer features and no requirement to explicitly enroll a device prior to join.
|Microsoft Endpoint Configuration Manager||MECM
|The new name for Configuration Manager aka SCCM. See https://docs.microsoft.com/en-us/mem/configmgr/core/understand/microsoft-endpoint-manager-faq.|
|Microsoft Endpoint Manager||-MEM
|A new Microsoft brand and license which includes Configuration Manager, Intune, and Desktop Analytics. MEM refers to the complete set of solutions.|
|Microsoft Intune||-Intune||Microsoft Intune is a cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM).|
|Mobile Application Management||-MAM||Refers to the suite of Intune management features that lets you publish, push, configure, secure, monitor, and update mobile apps.
Intune supports two MAM configurations:
-MAM without enrollment (MAM-WE), i.e. device does not have Intune but has a 3rd party agent
-MAM with MDM, i.e. device has Intune
|Mobile Device Management||-MDM||MDM is an industry term for the administration of mobile devices, including smartphones, tablets, laptops, and personal computers that aren’t necessarily very mobile. MDM seeks to simplify device management at scale across a diverse set of platforms.
MDM capabilities usually include:
Security is often a key configuration quality cited by MDM solutions.
MDM is based on the Open Mobile Alliance OMA Device Management specification. See http://www.openmobilealliance.org/wp/Overviews/dm_overview.html and http://openmobilealliance.org/release/DM/ for more.
|Personal device||-BYOD||Any device which is not considered a corporate device.
This term is sometimes loosely used to reference devices which have not been MDM enrolled, but are Azure AD registered.
|Tenant Attach||Tenant attach is where your SCCM data is imported to your MEM portal. This results in cloud attach. The benefits of tenant attach are: ATP integration, Desktop Analytics, User Experience Analytics, MEM portal visibility.|
|Windows Autopilot||-Autopilot||A collection of technologies used to set up and pre-configure new devices, getting them ready for productive use.
Autopilot is not a deployment method, it’s an initial provisioning method to bootstrap the system into AAD and Intune and in turn ConfigMgr if desired. Task sequences can be used in a variety of scenarios and a new feature in 2002 allows them to be kicked off automatically after the client agent is installed.
|Windows Subscription Activation||see https://docs.microsoft.com/en-us/windows/deployment/windows-10-subscription-activation|