TeamDynamix Intune Integration

Body

The Intune integration is available to all organizations. It is configured by an asset application administrator in TDAdmin and the synced data and device actions are available to all members of the asset application.

The Microsoft Intune integration allows TeamDynamix administrators to set up a connection to Intune and automatically sync asset data into TeamDynamix. Once assets are created using this integration, technicians can open those assets in Intune or take other actions on the synced assets, and users can report on data synced from MS Intune.

This article covers the following topics:

Setting up the Intune integration
Syncing assets to TeamDynamix
Working with assets from Intune in TDNext
Actions on Intune devices

Setting up the Intune integration

The Intune integration can be configured in the Integrations page of an Asset application or in the global Organization Settings > Integrations page. Follow these steps to set up the integration:

Navigate to the Integrations page in an asset application (TDAdmin > Applications > [Asset Application] > Integrations) or as a global administrator (TDAdmin > Organization Settings > Integrations).
Click +New to create a new integration.
Set the Integration Type to Microsoft Intune (if you're in the asset application, this will be the only option).
Choose a Name.
Set the Application (this will be automatically set when configuring the integration from within the Assets/CIs application).
Choose whether to Create Assets. If this is checked, the integration will create new asset records based on managed devices. If unchecked, it will add Intune information to existing devices, but will not create any new ones.
Choose an Asset Matching Mode. See the Matching Logic section below for details on the Asset Matching Mode.
Choose a Form and Status for the assets created by Intune. These values will be used when new assets are created, but will not be updated on existing assets.
Choose a setting for Use External Product Model.
1. When checked, assets will be created using the selected Product Type and will use the Model field in Intune as the Product Model (creating new Product Models in TeamDynamix if there is no match).
2. When unchecked, a Default Product Model can be selected. If it is, that product model will be used for assets created by the integration. If omitted, no Product Model will be applied.
Choose a setting for Set Owner or Set User checkboxes. When the asset user in Intune can be matched to a TeamDynamix user they will be set as the Owner or User in TeamDynamix based on these settings.
Set the Azure Tenant ID, Client ID, and Client Secret to connect to Intune.
1. The asset sync features in the Intune integration uses an app registration with the Application API permission DeviceManagementManagedDevices.Read.All (not as a Delegated permission).
  1. Note: The Client Secret field requires the client secret value, not it's ID.
2. The managed action features (added in TeamDynamix version 121.) require the additional permissions DeviceManagementManagedDevices.ReadWrite.All and DeviceManagementManagedDevices.PrivilegedOperations.All. You will need to grant Admin Consent through the application. For organizations setting up the integration for the first time after version 12.1, DeviceManagementManagedDevices.ReadWrite.All includes all the permissions required to import devices in DeviceManagementManagedDevices.Read.All and you do not need to separately grant that permission.

Syncing assets to TeamDynamix

Assets are automatically generated and updated by the Intune integration when it is initially configured and kept in sync by a nightly update. Whether the integration creates assets and how it matches assets to Intune devices is controlled by the Asset Matching setting. The following options are available:

Create Assets - The integration will create new assets, matching by serial number or Microsoft Intune ID. If there is a conflict where the serial number is matched, but the Microsoft Intune ID does not match, a new asset will be created.
Match by Serial Number and set Microsoft Intune ID - The integration will create new assets when there is no match by serial number. If there is a match by serial number, the Microsoft Intune ID will be set on the existing asset, and no new asset will be created.
Match by Microsoft Intune ID - The integration will create new assets when there is no match by Microsoft Intune ID. If there is a match by Microsoft Intune ID, the existing asset will be updated, and no new asset will be created.
None - The integration will only update existing assets, and the Default Form, Default Status and Default Product Model fields will be ignored.

Matching Logic

The integration matches assets in the TeamDynamix database by looking for a matching value on the following fields:

Intune Device ID- If an asset is found where the Intune Device ID in Intune matches the Intune Device ID in TeamDynamix, it will be updated with any new values from Intune. All new assets created by this integration will have the Intune Device ID set automatically.
Serial Number - If no matching Intune ID is found, the integration will look for an asset with a matching Serial Number and update that asset.

The matching rules work as follows:

If the Serial Number and Intune Device ID match, the asset will be updated
- This would be the most common match, when an asset that is in Intune has been previously updated by this integration.
If the Serial Number matches and Intune Device ID is different, a new asset will be created
- This would occur when records in Intune are using a generic or blank serial number.
If the Serial Number matches and Intune Device ID is blank, update the asset and set the Intune Device ID
- This would occur when the asset was already created in TeamDynamix through another process, and links the existing asset record to the Intune record.
If the Serial Number does not match or is empty and Intune Device ID does match, update the asset and set the Serial Number
- This would occur when a serial number has changed in Intune on an asset that was previously synced.
If there is no match on Serial Number or Intune Device ID, create a new asset
- This would occur when a new asset is added to Intune.

Working with assets from Intune in TDNext

When viewing an asset from Intune in TDNext, users can view detailed information from Intune in the asset's Discovered Data tab. The Open in Intune button allows the user to open the asset directly in Intune (subject to the user's permissions in Intune).

The data in the Discovered Data tab is also available in the Assets report source. The following fields are mapped from Intune to TDX. The Intune Field column refers to the field as defined in the Intune managedDevice resource type.

TDX Field	Intune Field	Notes
Azure AD Device ID	azureADDeviceId
Azure AD Registered	azureADRegistered
Compliance Grace Period Expiration	complianceGracePeriodExpirationDateTime
Compliance State	complianceState
Device Category	deviceCategoryDisplayName
Enrolled Date	enrolledDateTime
Enrollment Type	deviceEnrollmentType
Free Storage	freeStorageSpaceInBytes
Intune Device ID	id
Intune Product Model	model
Intune User	userPrincipalName
Intune User Email	emailAddress
Is Encrypted?	isEncrypted
Is Supervised?	isSupervised
Last Sync Date	lastSyncDateTime	This is the date & time the device was last synced with Intune, not the date & time the data in Intune was synced with TeamDynamix.
Operating System (Intune)	operatingSystem
OS Version (Intune)	osVersion
Owner Type	managedDeviceOwnerType
Registration State	deviceRegistrationState
Total Storage	totalStorageSpaceInBytes
WiFi MAC Address	wiFiMacAddress

Intune managed device actions

If you grant the additional permissions described above, the integration will allow technicians in TeamDynamix to take actions on devices in Intune. Because Microsoft does not provide a separate permission that can be granted for each action a user may take on a device, TeamDynamix administrators can control which actions are available to technicians in their environment based on the asset application's security role. To edit the security role, follow these steps:

Navigate to the asset application's security roles (TDAdmin > Applications > [Asset Application] > Users & Roles > Security Roles).
Open the security role to be edited.
Add appropriate actions from the Microsoft Intune section in the security role.
Save.

The following actions are supported in the Intune integration

Action	Intune Permission	Device Types	Description
Open in Intune	None - uses Intune user permissions	All	Opens the device's detail page in the Intune website.
Map Intune Devices	None - this action takes place within TeamDynamix.	All	Allows the user to set the Intune device ID on an asset from within TeamDynamix.
Sync TeamDynamix Asset From Intune	`DeviceManagementManagedDevices.Read.All`	All	Runs the asset sync between TeamDynamix and Intune, updating the TeamDynamix record with the latest information from Intune for this asset.
Remove Intune synced data from assets	None - this action takes place within TeamDynamix.	All	Removes any Intune device information from this asset in TeamDynamix.
Request Intune Device Sync	`DeviceManagementManagedDevices.PrivilegedOperations.All`	All	Requests the device to sync its information in Intune. Once the device responds, the data in Intune will be updated with any new information from the managed device.
Reboot Devices via Intune	`DeviceManagementManagedDevices.PrivilegedOperations.All`	Android Enterprise corporate-owned Fully Managed (COBO) Android Enterprise corporate-owned Dedicated (COSU) Android Open Source Project (AOSP) iOS/iPadOS in Supervised Mode (requires an Apple Business Manager account setup to enroll the device as supervised in Intune) macOS Windows 8.1 or higher	Requests Intune to reboot the device.
Remote Lock Devices via Intune	`DeviceManagementManagedDevices.PrivilegedOperations.All`	Android Enterprise corporate-owned dedicated (COSU) Android Enterprise corporate-owned fully managed (COBO) Android Enterprise corporate-owned work profile (COPE) Android Open Source Project (AOSP) iOS/iPadOS MacOS	Requests Intune to lock the device.
Reset Device Passcodes via Intune	`DeviceManagementManagedDevices.PrivilegedOperations.All`	Android Enterprise corporate-owned dedicated (COSU) Android Enterprise corporate-owned fully managed (COBO) Android Enterprise corporate-owned work profile (COPE) Android Open Source Project (AOSP) iOS/iPadOS	Requests Intune to reset the device's passcode.
Check for Windows Defender Updates via Intune	`DeviceManagementManagedDevices.PrivilegedOperations.All`	Windows	Requests the device check for Windows Defender updates.
Run Windows Defender Scan via Intune	`DeviceManagementManagedDevices.PrivilegedOperations.All`	Windows	Requests the device to run a Windows Defender scan.
Start Remote Help via Intune	`DeviceManagementManagedDevices.ReadWrite.All`	Android Enterprise corporate-owned dedicated (COSU) Android Enterprise corporate-owned fully managed (COBO) Android Enterprise corporate-owned work profile (COPE) Android Open Source Project (AOSP) macOS 13 or higher Windows 10 or higher	Requests Intune to start remote help. This action will require a TeamViewer connector in Intune to be fully configured. This action will be available to users in TeamDynamix when Intune reports that the specific device is able to remotely administered in the Intune portal AND the enterprise application has the `DeviceManagementManagedDevices.ReadWrite.All` permission.