Our Plan – to have Staff experience the device as if it was their device – ie Full Administrative rights, able to install software, but knowing that if there were issues then the devices would be wiped and reset.
Setting up Azure AD
Followed the guides from Microsoft to create synched copy of AD in the cloud, then used PowerShell to assign licenses to Staff and Students for Office 365, and to Staff for inTune.
Setting up inTune
We followed the guide from Microsoft
Once inTune was set up we used the Default Policies for EDU from Microsoft for testing, liked them, did a small amount of editing and rolled these out. Includes automatic encryption of the device with the BitLocker key stored in Azure AD.
Proxy and Filtering sign in required on surface devices.
Two Admin Local accounts added to all devices, one used by staff with staged roll out walking through connection to O365, once this connection was in place removed the second Admin account. This method results in the AD user account having full administrative rights on the Surface.
Didn’t use autoenrollment.
Office 2016 taken care of out of the box following connection to Azure and the licenses therein
Adobe Creative Cloud purchased and rolled out
School Licenses that could be added maintained through sharing from cloud for users to connect to if required. Citrix interface if not.