(2023 Update) Before you read:
If you are considering setting this integration up, I would highly suggest looking into IntegrationHub ETL. This is a free app from the ServiceNow store and it allows you to ingest 3rd party data into your CMDB which runs through the IRE engine. The solution below is a manual process where you are building the integration from scratch. Feel free to continue if you'd like; just know that the method below does not run your CMDB data through the IRE engine.
In this guide, I am going to be pulling devices from Intune and importing them into the CMDB. There is very little documentation out there to help you with this integration, so this will provide you step-by-step instructions on setting this up. We will be using Azure to obtain the device data from Intune.
Azure setup
Contact your Azure admin to setup an application inside Azure to gain access to the API. The admin will need to follow these Instructions. Once the app is registered in Azure, write down the following information:
- Application Secret
- Tenant ID
- Client ID
Make sure the app has the DeviceManagementManagedDevices.Read.All application & delegated permission.
Authentication
In the Microsoft documentation, they tell us to use OAuth2.0 to authenticate. First, let's make sure your instance has OAuth2.0 enabled. Go in to your system properties, and make sure com.snc.platform.security.oauth.is.active is set to true.
In your ServiceNow instance, lets create an application registry. Navigate to System OAuth > Application Registry. Here are the fields you need to fill out:
| Field | Value |
|---|
| Name | Azure Authentication (can be anything) |
| Client ID | Azure App client ID |
| Client Secret | Azure App secret |
| Default Grant Type | Client Credentials |
| Token URL | https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/token |
| Redirect URL | https://instance-name.service-now.com/oauth_redirect.do| |
Now you will have to create an OAuth Entity Profile and choose the provider you just created. Once this is done, you will need to create the OAuth Entity Scope. The OAuth scope is https://graph.microsoft.com/.default.
Get the Payload
This is the fun part. We will now test the connection by generating a token with your application registry. Navigate to System Web Services > REST Messages and create a new one. Name the message anything you want, and add a description. The endpoint URL is what you can change depending on what information you need. Follow this link to find more managedDevice methods in the graph API.
For this guide, I want to list all devices in my environment. So the URL I will use is: https://graph.microsoft.com/v1.0/deviceManagement/managedDevices.
Select OAuth2.0 as the authentication type, and choose your profile you created above. Once complete, click the “Get OAuth Token” related link and make sure the OAuth2.0 flow completes. If it fails, you will need to double check your configuration in the registry you made.
After you have recieved the OAuth token, you can now test your REST message. Scroll down to HTTP Methods and open your Default GET record (you shouldn't have to change anything on this record, but make sure it is a GET request). Scroll down and click the Test related link.
Prepare for import
Once we have the JSON payload, we will need to create an import set table for these objects to import into. Copy/paste the payload in to any online JSON beautifier tool, then convert one of the objects in the payload in to a CSV file.
E.g. I've copied one device along with it's metadeta. Your payload should look very similar if you are using the same endpoint.
{ "id": "", "userId": "", "deviceName": "", "managedDeviceOwnerType": "", "enrolledDateTime": "", "lastSyncDateTime": "", "operatingSystem": "", "complianceState": "", "jailBroken": "", "managementAgent": "", "osVersion": "", "easActivated": , "easDeviceId": "", "easActivationDateTime": "" ...etc }
Now I will convert this to a CSV file. The whole point to this step is so the import set table has the correct fields for us to map to.
Once you have the CSV file, go to Load Data in the navigator and create a new table. Name it whatever you'd like, but remember it. Upload the CSV file you made and make sure the import set table has all the fields you want to map to from the payload.
Import the devices
In a real situation, you would likely want to import devices on a daily basis. In this case, we will create a scheduled job to run this REST message.
Before I go any further, I'd like to give credit to Jace Benson for assisting me on this. He is truly a master of ServiceNow.
This is the part where you can decide on how you want to classify your CI's in your CMDB. In my payload, I only have two different classes; Windows and Android devices. I have created two different scheduled jobs, one for Windows devices and one for Android devices. There are alternative ways of classifying your devices into ServiceNow, this is just the way I went about it.
Go to System Definition > Scheduled Jobs and create a new scheduled job. I have it set to run daily and I've named it “Grab Windows devices from Intune”.
Here is the script for the scheduled job:
try { var machines = []; function getMachines(endpoint, machines) { gs.info('in getMachines with endpoint: ' + endpoint); var pagedR = new sn_ws.RESTMessageV2('NAME OF REST MESSAGE', 'Default GET'); // Replace the first parameter with the name of your REST message. if (endpoint !== null) { pagedR.setEndpoint(endpoint); } var pagedResponse = pagedR.execute(); var pagedResponseBody = pagedResponse.getBody(); var pagedhttpStatus = pagedResponse.getStatusCode(); gs.info('windowsMachine response Status: ' + pagedResponseBody); var pagedObj = JSON.parse(pagedResponseBody); var newMachines = pagedObj.value.filter(function(device) { //This is the snippet that filters out only Windows devices. Hence the Windows only shceduled job. if (device.operatingSystem == "Windows") { return true; } else { return false; } }); gs.info(endpoint + ' : ' + newMachines.length); machines = machines.concat(newMachines); if (pagedObj["@odata.nextLink"]) { // if it has paged results getMachines(pagedObj["@odata.nextLink"], machines); } else { gs.info('machines.length: ' + machines.length); machines.forEach(function(machine) { gs.info('in foreach'); var intuneImport = new GlideRecord('IMPORT SET TABLE NAME'); // Replace with your Import set table name intuneImport.initialize(); //Set each field in the table to the correct data from payload for (var key in machine) { if (machine.hasOwnProperty(key)) { var field = key.toLowerCase(); var value = (function() { if (typeof machine[key] === "number") { return machine[key].toString(); } else { return machine[key]; } })() var actualField = 'u_' + field; if (intuneImport.isValidField(actualField)) { gs.info('setting (short)[' + actualField + ']:' + value); intuneImport.setValue(actualField, value); } else { var begin = field.substring(0, 12); var end = field.substring(field.length - 14, field.length); var calculatedField = 'u_' + begin + '_' + end; gs.info('setting (long)[' + calculatedField + ']:' + value); intuneImport.setValue(calculatedField, value); } } } intuneImport.insert(); }); } } getMachines(null, machines);} catch (ex) { var message = ex.message; gs.info('ERROR: ' + message);}
Make sure you replace line 6 with your REST message, and line 31 with your import set table name.
This script is essentially calling the REST message you created, parsing the payload, creating a record for each device from your payload, and finally importing them into your import set table.
Transforming your CI's into the CMDB
Finally, you will need to create a transform map for your import set table. Navigate to System Import Sets > Create Transform Map. Name it anything you'd like and choose your import set table as the source table. The target table should be the CMDB table you want to import the devices into. Map the appropriate fields from the import set table to the CMDB table and make sure you set a coalesce on a field that is unique to each device.
You are finally DONE! Once the scheduled job runs, the transform map you created will automagically run and import the records into the CMDB table of your choice.
FAQs
To get started, you'll need to have an active Remote Help trial or add-on license and then configure the ServiceNow connector to establish a connection between Intune and your ServiceNow instance. For more information, see Use remote help with Intune.
What is Intune integration? ›
Intune simplifies app management with a built-in app experience, including app deployment, updates, and removal. You can connect to and distribute apps from your private app stores, enable Microsoft 365 apps, deploy Win32 apps, create app protection policies, and manage access to apps and their data.
Can Windows Server be enrolled in Intune? ›
Wrap Up. It is possible to use Intune as a single management plane for managing Microsoft Defender Antivirus even in Windows Servers. Managing AV in the servers may require additional integration and configuration between Intune and Configuration Manager, but the results worth the effort.
What is Intune ServiceNow? ›
A ServiceNow Intune integration provides a bird's-eye view of your assets that is not inherent to Intune alone. This overview allows you to see exactly what devices you have in your environment and view relevant information about each of them, including their model number and date of acquisition.
What is the purpose of Microsoft Intune? ›
Microsoft Intune is a cloud-based enterprise mobility management tool that aims to help organizations manage the mobile devices employees use to access corporate data and applications, such as email.
What is difference between Intune and SCCM? ›
Intune is a cloud-based solution that allows you to manage company-owned and personal devices, while SCCM is a more traditional on-premises solution.
What is the difference between Azure and Intune? ›
Azure Active Directory (Azure AD) is a universal identity management platform that incorporates user credentials and strong authentication policies to safeguard your company's data, while Microsoft Intune provides cloud-based mobile device management (MDM) and mobile application management (MAM).
Can Intune integrate with PowerShell? ›
Use the Microsoft Intune management extension to upload PowerShell scripts in Intune. Then, run these scripts on Windows 10 devices. The management extension enhances Windows device management (MDM), and makes it easier to move to modern management.
What licensing do you need for Intune? ›
Intune is included in the following licenses: Microsoft 365 E5. Microsoft 365 E3. Enterprise Mobility + Security E5.
Does every user need an Intune license? ›
Each device that accesses and uses the online services and related software (including System Center software) must have a device license. If a device is used by more than one user, each device requires a device based software license or all users require a user software license.
From Intune's Admin console you can deploy software packages, updates, and patches. The tool also allows for push-update scheduling, define update/patch deploy strategies, and much more.
What integration is supported by ServiceNow? ›
What types of integration technologies and methods does ServiceNow offer? The Now Platform supports most common integration technologies including but not limited to web services, file retrieval/import sets, JDBC connections, LDAP, REST and SOAP, and Excel, CSV, and e-mail transmissions.
Is Intune now Endpoint Manager? ›
Microsoft Intune is a cloud-based unified endpoint management solution that simplifies management across multiple operating systems, cloud, on-premises, mobile, desktop, and virtualized endpoints.
Is Intune SaaS or PAAS? ›
Microsoft Intune is the SaaS solution provided by Microsoft. Microsoft Intune is a cloud-based desktop and mobile device management tool.
Is Intune a MDM solution? ›
Microsoft Intune is a cloud-based service designed for mobile device management (MDM) and mobile application management (MAM).
What is the difference between MDM and Intune? ›
The main difference of MDM for Office 365 vs Intune is that Intune is not limited to Office 365-related scenarios. For most organizations, the management boundaries must expand to include all apps and data that can be exposed via AAD and all apps on the devices that can use modern authentication.
What is the new name of Microsoft Intune? ›
Effective October 12, 2022, Microsoft Intune becomes the name of the endpoint management family with the name Microsoft Endpoint Manager no longer being used. Going forward, Microsoft will refer to cloud management as Microsoft Intune and on-premises management as Microsoft Configuration Manager.
Can Intune replace SCCM? ›
You can use both Intune and SCCM to manage Windows 10 systems using a configuration Microsoft calls co-management. The tools have some capabilities that overlap, but you will most likely use them in a complementary fashion.
Does Endpoint Manager replace Intune? ›
Microsoft Intune still exists -- both in name and product -- and is now part of MEM. Even as part of Microsoft Endpoint Manager, IT administrators can still use Intune as a separate management platform for mobile device management (MDM) and unified endpoint management (UEM).
What is replacing SCCM? ›
Starting in version 1910, Configuration Manager current branch is now part of Microsoft Endpoint Manager.
@lalajee No, if you want to use intune, it is needed to connect to Azure AD.
Is Intune platform as a service? ›
Intune is a cloud-based enterprise mobility management (EMM) service that helps enable your workforce to be productive while keeping your corporate data protected. With Intune, you can: Manage the mobile devices your workforce uses to access company data. Manage the client apps your workforce uses.
Is Intune still called Intune? ›
Microsoft Intune (formerly Windows Intune) is a Microsoft cloud-based unified endpoint management service for both corporate and BYO devices. It extends some of the "on-premises" functionality of Microsoft Endpoint Configuration Manager to the Microsoft Azure cloud.
Can Intune deploy EXE? ›
As sad before, with Microsoft Intune you cannot publish .exe files directly. We first need to “wrap” all the source files that are needed for the installation into a . Intunewin file.
Does Intune run scripts as admin? ›
If you have users or computers together in various groups, you might need to unwind your existing Azure or AD group memberships just to use Intune scripts. Beyond that, scripts cannot be run interactively nor can they perform admin-like things in the user context.
Does Intune override GPO? ›
Result – Intune Policies Override Group Policy Settings – The winner is here Group Policy Vs. Intune Policy. Finally, MDM CSP wins over GP. As shown below, MDM CSP configures the “Home Page” value.
How often do machines sync with Intune? ›
Re: Intune Sync Interval
Windows devices syn approximately every 8 hours.
How do I remotely access my Intune computer? ›
Sign into Microsoft Endpoint Manager admin center and go to Devices > All devices and select the device on which assistance is needed. From the remote actions bar across the top of the device view, select New remote help session. This action opens the remote help app.
How much does an Intune license cost? ›
Microsoft Intune is a cloud-based platform that allows IT managers to control how end users interact with work-related devices. The Pricing for Intune is a monthly rate of $10.60 for an E3 package, and $16.40 for an E5 Security package.
What is the maximum number of devices allowed in Intune? ›
Intune device limit restrictions
You can allow a user to enroll up to 15 devices. To set a device limit restriction, sign in to Microsoft Endpoint Manager admin center. Then go to Devices > Enrollment restrictions. For more information, see Create a device limit restriction.
Trying out Intune is free for 30 days. If you already have a work or school account, sign in with that account and add Intune to your subscription. Otherwise, you can sign up for a new account to use Intune for your organization.
Is Intune per device or per user? ›
Intune per-device for Enterprise
This Intune per-device offer helps organizations manage devices that are not used by multiple authenticated users.
Do you need Office 365 to use Intune? ›
Microsoft Intune is a standalone product included with certain Microsoft 365 plans, while Basic Mobility and Security is part of the Microsoft 365 plans.
What happens if a device is not compliant in Intune? ›
The result of this default is when Intune detects a device isn't compliant, Intune immediately marks the device as noncompliant. After a device is marked as noncompliance, Azure Active Directory (AD) Conditional Access can block the device.
Can you push Windows updates through Intune? ›
You can configure, deploy, and pause update installation with Windows Update for Business settings using Microsoft Intune.
Can Intune manage patching? ›
Microsoft Software Update Patching process for Intune admins. Intune helps configure Windows Update for Business (WUfB) policies to patch. This is the simplified patch management using Intune and WUfB.
Can Intune push out updates? ›
With Intune, you can configure update settings on devices and configure deferral of update installation. You can also prevent devices from installing features from new Windows versions to help keep them stable, while allowing those devices to continue installing updates for quality and security.
How does intune give my users a self service experience? ›
How does Intune give my users a self-service experience? Across all device types, you can create an Intune company portal app to give your users a self-service experience. Users log in to the portal and see the applications available to them. You might have 15 corporate apps, 5 of which all users need.
Does ServiceNow RUn on Azure? ›
ServiceNow Cloud Management uses the latest Azure technology for Azure provisioning, supports a comprehensive set of Azure IaaS and PaaS services, and is deeply integrated with the Azure Enterprise Billing API.
Does ServiceNow use AWS or Azure? ›
With ServiceNow Cloud Management, ServiceNow customers use their existing investment to manage the AWS Cloud more effectively and efficiently—and existing AWS customers enhance visibility and control using ServiceNow's proven and trusted single system of record.
ServiceNow enables Microsoft to integrate its digital environment with ServiceNow ITSM functionality and Microsoft uses out-of-the-box ServiceNow functionality whenever suitable.
What is LDAP integration in ServiceNow? ›
The acronym LDAP stands for Lightweight Directory Access Protocol. It can be used to populate user data and authenticate users. ServiceNow integrates with an LDAP directory to automate user creation and role assignment and to streamline the user log in process.
Can we integrate ServiceNow with Azure DevOps? ›
Set up the Azure DevOps organization
Install the ServiceNow Change Management extension on your Azure DevOps organization. Create a new ServiceNow service connection in your Azure DevOps project as follows. Alternatively, you can also use OAuth2 authentication.
What is the difference between Intune and Autopilot? ›
Microsoft Autopilot, also known as Windows Autopilot, utilizes Intune and other Microsoft policies to set up and pre-configure new devices. Doing so gets the devices ready for productive use without needing an IT professional to sign into it. Autopilot is used for Windows or HoloLens 2 devices.
Do I need an Intune license for every user? ›
Each device that accesses and uses the online services and related software (including System Center software) must have a device license. If a device is used by more than one user, each device requires a device based software license or all users require a user software license.
What is the difference between Microsoft Azure and Intune? ›
Azure Active Directory (Azure AD) is a universal identity management platform that incorporates user credentials and strong authentication policies to safeguard your company's data, while Microsoft Intune provides cloud-based mobile device management (MDM) and mobile application management (MAM).
What devices does Intune support? ›
NOTE] Intune now requires Android 5. x (Lollipop) or higher for applications and devices to access company resources via the Company Portal app for Android and the Intune App SDK for Android. This requirement does NOT apply to Polycom Android-based Teams devices running 4.4. These devices will continue to be supported.
