Script to remind Office 365 users to enrol their device to InTune

When I have a little downtime (which isn’t often!), I like to sit around and think of cool things I can automate using PowerShell. I have a .txt file that I put all these ideas into and every now and then have a crack at solving one.

Just recently I was playing around with Office 365 and Windows InTune and this idea struck me.

With the licensing model of Office 365 being user based, people are syncing their mail to more and more devices. They’ll have Outlook on their work laptop, email syncing on their Windows Phone, and probably syncing on their Apple and/or Android tablet as well. The problem with having so many devices is IT tracking and managing their corporate data. Of course, InTune is the obvious tool to manage these devices.

Getting your users to enrol their devices into InTune is one of the main challenges. As the registration has to happen from the end users side, I thought I’d write a script to help pester your users into registering their iPads, iPhones, Androids and WPs into your InTune MDM.

The idea is for this script to be run as a scheduled task. It will connect to your o365 tenant subscription and discover all those users who have synced their device with o365 since the last scheduled task ran. It will then send that user an email reminding them to enrol their device to InTune.

The email to your users can obviously be customized, but here’s a look at what I’ve given you by default

image

I’ve also added a testing mode switch, so you don’t spam your o365 users while doing your dev and test.

Here’s the script.

001002003004005006007008009010011012013014015016017018019020021022023024025026027028029030031032033034035036037038039040041042043044045046047048049050051052053054055056057058059060061062063064065066067068069070071072073074075076077078079080081082083084085086087088089090091092093094095096097098099100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160 $O365Username = "your@username.onmicrosoft.com" #Add your o365 admin username here$SendEmail = $true #Change this to $false during testing. Output will be returned to the console$DeviceRegistrationTimeFrame = -1000000 #Set this to the schedule of your scheduled task$InServiceMode = $true #Configure this to $true when running as a scheduled task. This stops the PSSession from unloading everytime it's run# Ensure o365 session$SessionState = Get-PSSession ForEach ($Session in $SessionState) {If ($Session.ConfigurationName -ne "Microsoft.Exchange") {Connect-O365}}If (!$SessionState) {Connect-O365} # Get o365 dataGet-MobileDevice | Where{$_.WhenCreated -gt (Get-Date).AddHours($DeviceRegistrationTimeFrame)} | ForEach-Object {$User = Get-User -Identity $_.UserDisplayName $AccountDisplayName = $User.DisplayName$AccountFirstName = $User.FirstName$AccountEmail = $User.WindowsEmailAddress$DeviceId = $_.DeviceId$DeviceOS = $_.DeviceOS$UserDisplayName = $_.UserDisplayName$ClientType = $_.ClientType$IsCompliant = $_.IsCompliant$IsDisabled = $_.IsDisabled$Name = $_.Name$WhenChanged = $_.WhenChanged$WhenCreated = $_.WhenCreated$Id = $_.Id$IsValid = $_.IsValid# Email authorizationIf ($IsDisabled -eq $true) {$SendEmail = $false}If ($IsValid -eq $false) {$SendEmail = $false} # Mail info$SMTPServer = "smtp.office365.com"$SMTPPort = 587$SMTPCredential = $UserCredential $EmailRecipient = $AccountEmail$EmailSender = $O365Username$EmailSubject = "$AccountFirstName, don't forget to enroll your device to InTune!"$Body = `"<html><head><title>Enroll Your Device Today!</title><style> body {font-family: Verdana;}#HeadingTitle {text-align: center;font-size: large;margin-top: 10px;color: blue;}#HeadingBox {width: 60%;height: 70px;background-color: yellow;position: absolute; top: 10px;left: 20%;right: 20%; vertical-align: middle;background-color: white;}#BodyText {width: 60%;height: 60%;position: absolute;top: 100px; left: 15%;right: 20%; vertical-align: middle;text-align: center;} table.center { margin-left: auto; margin-right: auto;font-size: x-small;position: relative;top: 30px;color: gray;}</style><body> <div id=""BodyText""><!-- Intune logo. Please add your company logo too. --> <img src=""https://secure.aadcdn.microsoftonline-p.com/aadbranding/1.0.1/aadlogin/Intune/logo.png""></img><p><!-- First line ""Hello Name,"" --> Hello $AccountFirstName, <p><!-- Second line ""Thank you for syncing your device with Office 365!"" -->Thank you for syncing your device with Office 365! <p><!-- Third line ""To ensure your device is fully managed and supported by the internal IT team, please ensure you enroll your device to InTune via the URL below"" -->To ensure your device is fully managed and supported by the internal IT team, please now enrol your device into InTune via the link below <p><!-- Fourth line: link to the manage portal --> <a href=""https://manage.microsoft.com"">Manage My Device!</a><p><!-- Fifth line ""Thanks,"" -->Thanks,<p><!-- Sixth line ""Your IT Team"". Please add your IT department --><b>Your IT Team</b><!-- Device Details --><table class=""center""><tr> <td><b>Username</b></td> <td>$UserDisplayName </td></tr><tr> <td><b>Enrolled</b></td> <td>$WhenCreated </td></tr><tr> <td><b>Device OS</b></td> <td>$DeviceOS </td></tr><tr> <td><b>Device ID</b></td> <td>$DeviceID </td></tr></table></div></body></html>"# Send EmailIf ($SendEmail -eq $true) {Send-MailMessage -To $EmailRecipient -From $EmailSender -Subject $EmailSubject -UseSsl -Port $SMTPPort -SmtpServer $SMTPServer -Credential $SMTPCredential `-BodyAsHtml -Body $Body }Else {Write-Host "----- Output to console for testing -----"Write-Host "----- To: $EmailRecipient -----"Write-Host "----- From: $EmailSender -----"Write-Host "----- Subject: $EmailSubject -----"Write-Host "----- Body: Not added to testing -----"}}# Close Session if not in service modeIf ($InServiceMode = $false) {Get-PSSession | ForEach-Object {If ($_.ConfigurationName -eq "Microsoft.Exchange") {Disconnect-o365 $_.ID}} }Function Connect-O365 {$UserCredential = Get-Credential -UserName $O365UserName -Message "Enter o365 password"$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirectionImport-PSSession $Session } Function Disconnect-o365 ($SessionID) {Remove-PSSession $SessionID}

Matt Shadbolt

Comments

  • Anonymous
    December 27, 2015
    Hi,Azure power shell and recommendation app every time required to run. can you please help me to incorporate all related command in to said script. i have an limited experience of powershell and Azure module.PS C:\Users\administrator.BEL> C:\Users\administrator.BEL\Desktop\InTune.ps1The term 'Connect-O365' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.At C:\Users\administrator.BEL\Desktop\InTune.ps1:8 char:108+ ForEach ($Session in $SessionState) {If ($Session.ConfigurationName -ne "Microsoft.Exchange") {Connect-O365 <<<< }} + CategoryInfo : ObjectNotFound: (Connect-O365:String) [], CommandNotFoundEx ception + FullyQualifiedErrorId : CommandNotFoundException The term 'Connect-O365' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.At C:\Users\administrator.BEL\Desktop\InTune.ps1:9 char:34+ If (!$SessionState) {Connect-O365 <<<< } + CategoryInfo : ObjectNotFound: (Connect-O365:String) [], CommandNotFoundEx ception + FullyQualifiedErrorId : CommandNotFoundException The term 'Get-MobileDevice' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.At C:\Users\administrator.BEL\Desktop\InTune.ps1:12 char:17+ Get-MobileDevice <<<< | Where{$_.WhenCreated -gt (Get-Date).AddHours($DeviceRegistrationTimeFrame)} | ForEach-Object { + CategoryInfo : ObjectNotFound: (Get-MobileDevice:String) [], CommandNotFou ndException + FullyQualifiedErrorId : CommandNotFoundException