Microsoft Endpoint Manager (MEM)/Intune

Microsoft Endpoint Manager (MEM) provides deployment and management of Windows devices. We have not looked into managing Android devices with Intune yet, but that’s on the roadmap. If you're looking to manage macOS and iOS devices, please review https://aggiedesktop.ucdavis.edu/jamf-pro.

Aggie Desktop, in partnership with the uConnect team, provides this as a service to the UC Davis campus. Campus units may take advantage of this service rather than running their own Entra ID infrastructure. Aggie Desktop is happy to assist departments with migrating to Autopilot and Intune for building and managing Windows computers.

For information on how to use the Aggie Desktop MEM service, please reference these KBs to get started (note: all KBs requires access to the TSP KB):

The Intune license is included in the Microsoft 365 A3 (and A5) plans for educational institutions so there is no additional endpoint licensing cost.

The standard Aggie Desktop build via the MEM service applies various minimum security standard configurations, including:

  • Binding the system to Entra ID to require use of standard campus computing account credentials for login
    • It also makes zero-touch deployments possible - devices can be shipped directly to end users as they only need internet access to be able to log in / do not need to connect to a campus network first.
  • Configuring the system for Bitlocker encryption with key escrow to the Intune console
  • Configuring the system to utilize LAPS
  • Installing the BigFix client
  • Enabling the screensaver with a 15 minute timeout and requirement for password to resume
  • Enabling and configuring the local host firewall
  • Leveraging Autopilot to “lock” devices to UC Davis control at the hardware level

If you would like to get onboarded, please complete this onboarding survey to kick off the Intune onboarding process.