Breadcrumbs

Add InTune to SaaS Agent

Task List

Task #

Task

Performed by

1

Prepare InTune for use with CI Sync

Azure Admin

2

Add InTune as a Source System using the CI Sync SaaS UI

CI Sync Admin

3

Check status of new InTune Source System connection

CI Sync Admin

4

Perform Updates in ServiceNow (if required)

ServiceNow Admin

5

Do Not Synchronize Installed Software from two different source systems

CI Sync Admin

Task 1: Prepare InTune for use with CI Sync

  1. In the Azure Portal, navigate to Azure Active Directory -> App Registrations and click New Registration

CleanShot 2025-04-04 at 13.56.22@2x-20250404-025640.png

  1. On the Register an application form complete as follows:

    1. Enter the Name (Note: Syncfish recommend using “CI Sync Agent Connector for InTune”)

    2. Under Supported account types select “Accounts in this organizational directory only ({Your Domain/Tenant Name} only - Single tenant)”

    3. Click Register

image-20250402-055807.png

  1. Navigate to API permissions and click Add Permission

image-20250402-055829.png

  1. Click on Microsoft Graph

image-20250402-055850.png

  1. Click on Application permissions

image-20250402-055907.png

  1. In the Select permissions filter, enterdevice” and then do the following:

    1. First, find and expand DeviceManagementApps, then tick/select
      DeviceManagementApps.Read.All
      Read Microsoft InTune apps

    2. Next, find and expand DeviceManagementManagedDevices, then tick/select
      DeviceManagementManagedDevices.Read.All
      Read Microsoft InTune devices

    3. Finally, click the Add permission button

image-20250402-055956.png

  1. For a second time, click on Application permissions, select Microsoft Graph and then click Application Permissions

image-20250402-060016.png

  1. In the Select permissions filter, this time enteruser” and then do the following:

    1. First, expand User, then tick/select
      User.Read.All
      Read all users’s full profiles

    2. Then, click the Add permission button

image-20250402-060046.png

  1. You should now be back on the API Permissions form showing the list of permissions you selected (see screen shot below to validate you have selected the required permissions).

    1. Now, Click Grant admin consent for {Your Domain Name}

image-20250402-060108.png

  1. Click Yes to confirm granting Admin Consent.  The resulting screen should look as shown below.

image-20250402-060126.png

  1. Using the left-hand menu, navigate and select Certificates & secrets.  Select “Client secrets (0)” in the middle of the form and then click the “New client secret” button.

image-20250402-060147.png

  1. Enter a unique Description for the secret associated with this CI Sync Agent Connector for InTune App Registration (e.g. “CI Sync Agent Connector for InTune Client Secret”).

  2. Then, select a suitable Expires duration based on your organisational policy.  Finally click the Add button.

CleanShot 2025-07-02 at 09.28.17@2x-20250701-232840.png

Guidance Note

It is recommended you set a reminder prior to the expiry date of the Secret (i.e. a reminder to regenerate in Azure and then update the secret in the CI Sync Agent Config Utility).


  1. The form now displays the generated secret value (shown in the Value field)

    1. Use the copy option to make a copy of the value in the Value field.

CleanShot 2025-07-02 at 09.35.25@2x-20250701-233609.png

Data Capture Note

  1. The Value is only available while you remain on this screen. You must make a copy of the Value before leaving this form.

  2. Make sure you copy the “Value” and NOT the “Secret ID”.

Make sure the secret stored securely and in a way that can be shared with the CI Sync Admin so they can use it when the follow the instructions later in this page.

  1. Return to the Overview page for the App Registration.

    1. Use the copy option to make a copy of the “Application (client) ID” GUID value and the “Directory (tenant) ID” GUID value.

image-20250402-060904.png

You have now granted the App Registration object (i.e. the CI Sync Agent Connector for InTune) read permissions to InTune which will allow you to use the CI Sync Web UI to schedule synchronization jobs using that same InTune as a synchronization source.

Data Capture Summary

As a reminder, you should have captured the following information when completing the above steps.

  1. The Secret Value (from Step 14 above). This is the Client Secret value.

  2. The Application (client) ID (from Step 15 directly above).

  3. The Directory (tenant) ID (also from Step 15 directly above).

Make sure any secrets or sensitive information is stored securely and in a way that can be shared with the CI Sync Admin.

These values will be used later by the person following the instructions in Task 2 immediately below.

Task 2: Add InTune as a Source System using the CI Sync SaaS UI

  1. Login to your CI Sync SaaS instance at https://YourCo.syncfish.app

  2. In the CI Sync UI, navigate to Settings > Connections.

  3. Find the “SaaS Agent” sub-heading under the Source Connections section. If you don’t see “SaaS Agent” it means your CI Sync instance hasn’t been configured for this feature. Please contact your Sync representative to discuss.

  4. On the right hand side of the form, click the +Add button.

CleanShot 2025-06-25 at 18.03.19@2x-20250625-080339.png

  1. The New Connection form now appears. Use the Connection Type drop down list to select the source system you wish to add (in this case Microsoft InTune).

CleanShot 2025-10-08 at 09.34.29@2x-20251007-233516.png

  1. Update the fields using these instructions

    1. Connection name

      1. This is a friendly name that represents the source system connection.

      2. The name you enter here will appear when you create a new sync job and are selecting from the available source system list.

      3. Note: Syncfish recommend using a textual suffix on the connection name if for any reason you have setup multiple CI Sync Connections to InTune.

    2. Alias: Please ingore this field (it is not used for the CI Sync Cloud Agent and is being deprecated).

    3. Environments

      1. Select from the available choices Production, Test, or Production/Test (the latter being both).

      2. The selection you make for this field affects which source systems appear when you create a new sync job (i.e. when you are selecting the source system list based on the “Environment” you have chosen for the sync job). See this page for more details on creating a CI Sync job: Run a Small Initial Sync Job (then run more).

      3. FYI: CI Sync allows a source system to be both Production/Test because CI Sync only reads from a source system (it doesn’t write to it). Destination systems can only be Test or Production (not both).

    4. Directory (tenant) ID

      1. Paste the Azure/Entra Directory (tenant) ID captured by your Azure Admin in Task 1 above.

    5. Application (client) ID

      1. Paste the App Registration Application (client) ID captured by your Azure Admin in Task 1 above.

    6. Client Secret Value

      1. Paste the Client Secret Secret Value captured by your Azure Admin in Task 1 above.

    7. The click the Consent to update fields checkbox.

    8. Finally click the Create connection button.

You will be returned to the main settings screen and your new source system connection will appear in the list as shown below.

image-20260210-053244.png

Task 3: Check status of new InTune Source System connection

  1. To check the status of the newly added InTune Source System connection click the green Check Status link. This will test whether your CI Sync InTune connection can successfully reach and authenticate to the Azure Entra ID defined in the connection itself.

  2. image-20260210-053504.png

    If the connection is successful, you will see a green dot next to the source connection name.

  3. image-20260210-053626.png

    To test again in the future, you can click the green Refresh Status button.

  4. If the test is unsuccessful, you will see a red dot next to the source connection name and an error message underneath. If you need assistance resolving an error, please contact Syncfish support.

This means you are ready to run a sync job using the new source connection using these high-level instructions: Run a Small Initial Sync Job (then run more).

Task 4: Perform Updates in ServiceNow (if required)

Guidance Note

Syncfish recommend the person setting up the source system described in this guide discusses this particular task with their ServiceNow system administrator. 

A ServiceNow administrator will need to perform these steps.

Syncfish recommend following these instructions in your non-production ServiceNow environment for testing synchronization jobs.

Only once exhaustive testing in non-production is complete, repeat this process in your ServiceNow production environment.

In this section your ServiceNow SME will assess various updates to ServiceNow to support this CI Sync connector:

  • Task 4a: Assess if the CMDB CI Class Models plug-in is required

  • Task 4b: Assess if additional permissions are required

  • Task 4c: (Optional though recommended) Assess your ServiceNow CI forms and update to include additional Related Lists

Task 4a: Assess if the CMDB CI Class Models plug-in is required

A number of record sets (asset types/resource types) available to sync using the InTune Connector rely upon CMDB CI Classes that are only available via the CMDB CI Class Models plug-in. 

You therefore need to install the CMDB CI Class Models plug-in to your ServiceNow instance.

If you already have the plug-in you may want to upgrade it to the latest version (as ServiceNow occasionally updates the plug-in to include extra CI Classes/tables).

Source System

Specific Record Sets that require the CMDB CI Class Models plug-in

InTune

  • Android

  • iPhone

  • iPad

Instructions

Follow these steps to add this plug-in (and similar steps to locate it and upgrade it if required):

  1. Assess the use/inclusion of this plug-in within your ServiceNow (ensure you are comfortable installing this plug-in).

  2. Search for Plugins via the ServiceNow navigation menu.

  3. Locate the CMDB CI Class Models plug-in.

  4. Click Add -> Install and follow the instructions provided.

image-20250328-005325.png

Task 4b: Assess if additional permissions are required

No additional permissions are required in ServiceNow to support the CI Sync InTune connector. Therefore you can ignore/skip this task.

Context

CI Sync populates various child tables (related lists) associated with parent CIs. The following table shows the Related Lists (per CI Class) populated by the CI Sync InTune Connector.

CI Class

Related List
(i.e. friendly name)

Related List Name as it appears in the ServiceNow UI when adding it to a CI Form

Apple Macs

Software Installations

Software Installed

Windows PC

Software Installations

Software Installed

Android

Software (via Airwatch)

Software Installed

iPad

Software (via Airwatch)

Software Installed

iPhone

Software (via Airwatch)

Software Installed

Instructions

Below are the steps to modify a ServiceNow CI form to expose a new Related List.

  1. Login to your ServiceNow instance with Admin permissions.

  2. Navigate to any CI in the relevant CI Class (i.e. one/all of those listed in the table in the Context section above). For example, navigate to a Windows Server CI).

  3. Right-click in the heading area of the form, then click Configure and then Related Lists from the sub-menus.

image-20250402-073451.png


  1. Identify the Related List you want to expose on the CI form using the table in the Context section above.

  2. Find the Related List in the left hand column which lists all Available Related Lists.

  3. Click the Related List and then click add (the selection arrow) to move the item to the Selected column and then click Save.

image-20250402-073539.png

  1. Repeat for each additional CI Class listed in the table in the Context section above.

Task 5: Do Not Synchronize Installed Software from two different source systems

Customers should be aware that if you synchronize Installed Software (i.e. the installed software applications for the same IT asset) from two different source systems (e.g. from Intune and Defender, or from Lansweeper and Defender, or InTune and SCCM, etc etc) for the same device you will end up with duplicate software instance records in your CMDB.

The cause of this issue is the naming convention of Installed Software is inconsistent between different source systems, and therefore CI Sync cannot reliably correlate the Installed Software per CI within the CMDB. By way of example:

  • In InTune, “Microsoft Teams” is stored as “MSTeams” (and there is no Manufacturer attribute in InTune).

  • However, in Defender for Endpoint, “Microsoft Teams” is stored as “Teams”.

Important Recommendation from Syncfish

Syncfish do NOT recommend synchronizing Installed Software from two different source systems.

Below are some notes to action this in advice in the CI Sync Web UI:

  • When you are creating a sync job via the CI Sync UI and reach the Selections page, do not select “Software” or “Software Installs” from a given source system if you have already selected Installed Software on another source system sync job.

The screen shot below shows a sample of the Selection page for InTune as the source system for a CI Sync job. If you have selected Software Installs for InTune you should not select Software Installs for a Microsoft Defender for Endpoint sync job (as shown on the subsequent screen shot below)

CleanShot 2025-06-12 at 11.53.59@2x-20250612-015416.png

The screen shot shows the Selection page for Microsoft Defender for Endpoint as the source system for a CI Sync job. You should NOT select Software Installs via Microsoft Defender for Endpoint because you have selected Software Installs via the InTune source system.

CleanShot 2025-06-12 at 11.47.31@2x-20250612-014745.png

The same logic/approach applies to any other source system that offers Installed Software, such as SCCM or Lansweeper. The key message is: do NOT recommend synchronizing Installed Software from two different source systems.