Integrating Lansweeper and Microsoft Intune
Intro
Welcome in second (out of three) Lansweeper integration series. If you would like to know how to integrate LS with different services like Office 365 feel free to check this out:
In this post I will go through process of integrating LS with Microsoft Intune. If you are reading this I presume that you know Lansweeper itself and I’m almost certain that you know Intune too but there is not harm in providing you with some basics.
Lansweeper - IT assets management tool and network inventory software. It scans, discovers and inventories all Windows, Linus, Mac-OS workstations and IP-addressable devices.LS collects wide variety of data about devices and provides user-friendly interface to go through collected endpoints parameters.
Microsoft Intune - cutting edge cloud-based service in the enterprise mobility management developed by Microsoft. It allows to manage workstations over Internet without them being connected to company infrastructure. It helps you keep you corporate data protected by control the way your workforce accesses and shares it. And finally it helps you to ensure that devices and apps are compliant with company security requirements.
What does Lansweeper fetch from Intune? Well, everything it can: device name, enrollment date and compliance state, MAC address, manufacturer, model, carrier, OS version, storage, IMEI, MEID, serial number, user, info on whether the device is jail broken, installed applications and more.
Excited? So let’s begin!
Prerequisites
There are a few things you should do and check before implementing this feature. Requirements:
- Lansweeper 7.1 or above - I recommend installing the newest update which is 7.2 it was released on 7th of September
- Azure AD account - which credentials will be used for scanning. Also this account cannot be included in MFA policy in your organization
- Security group in Active Directory assigned to Intune Role - Read Only Operator
- You must provide Lansweeper with the application ID of an application that can read Intune devices from the Microsoft Graph API
- Spare Intune license - I will get back to that later in post
Beside those there are requirements which should apply to on-prem scanning server and you can find them in first post in series - Integrating Lansweeper and Office 365
If you meet those requirements you will can proceed with configuration!
Scanning credentials
Firstly create in your AD/AAD service account which will be used in scanning credentials. You will find in official Lansweeper knowledge base that this account should have Intune Administrator role assigned.
Well, you can do this and if you don’t mind having such high privileged account in you tenant. My proposition is to assign read only operator role and also you will need the most basic Intune license which costs around 3 Euro per month.
For me it not seems like the end of the world paying this money and you will be able to sleep better 😀.
Next step is setting Intune application in AzureAD. Log into your Azure tenant, select the Azure Active Directory menu on the left, the App registrations section within this menu and hit the New registration button.
Provide name for you application and hit the Register and the botton.
Then go to the Authentication menu of your application, set the default client type setting to Yes and hit Save.
Last step is to provide application with permissions to Microsoft Graph. To do this go to API permissions menu of your application and hit the Add a permission button.
Select Microsoft Graph from the list of available APIs in the resulting popup
Submit DeviceManagementManagedDevices. Read. All in the search box, tick the permission in the search results and hit Add permissions at the bottom of the page.
After choosing permissions you need high privileged account to grant admin consent
And that is all in the matter of scanning credentials!
Configurations in Lansweeper
Now that we’ve met all requirements we can proceed with configurations in Lansweeper Web Console. Those last steps are the easiest in whole process!
- Go to scanning targets
- Click on ‘Add Scanning Target’. You will see new window where you will be able to provide created scanning credentials
And you are ready to go
Pro tip
If you would like to check scanning credentials before configuring feature in production you can use great test tool which is located in Lansweeper installation on your server. […]\Lansweeper\Service\Lansweeper. TestTools. App
See you in next! 😉 🧠