Blaine County

Modern Endpoint Management Pilot with Azure

AD and Intune

Modern Endpoint Management Pilot with Azure AD

and Intune

Date: 01/12/2023
Prepared For: Ben Parker
Prepared By: Brett Sower, Adam Eldred, Bob Prahl, Randy
Elsethagen
 Blaine County
Modern Endpoint Management Pilot with Azure
AD and Intune

ENGAGEMENT SUMMARY
This Statement of Work ("SOW") is made as of 01/12/2023 (the "Effective Date") by and between Blaine
County ("Customer") and CompuNet, Inc. This SOW is made a part of and is subject to the Terms and
Conditions (Appendix A). Collectively, this SOW, and Appendix A are referred to as the "Agreement."
CompuNet, Inc. will provide services to Customer under this Agreement as further described below.

Overview Of Services
Executive Summary
Customer has engaged CompuNet to help modernize endpoint management within the
organization using Microsoft technologies, specifically Azure Active Directory and Intune.

The IT landscape has changed radically over the last decade: Increased security threats demand constant
vigilance while business needs dictate a highly mobile workforce. Many IT departments struggle to
monitor, secure, and support corporate endpoints, much less handle BYOD initiatives. Traditional
management tools, such as Active Directory and Group Policies, were simply not designed with today’s
needs in mind. Microsoft recognized this industry shift and has spent years moving their focus to cloud-
based technologies that offer better flexibility and simplified management. Microsoft’s Azure Active
Directory (for identity management) and Intune (for mobile device/application management) are both
industry leading tools that greatly simplify modern endpoint management. Adopting these technologies
allows endpoints to be rapidly updated and monitored, while reducing the reliance on connectivity to local
network resources.

CompuNet has developed a set of best practices around endpoint modernization after multitudes of
deployments across several verticals. Mass-deployment of new technologies often taxes an organization’s
tolerance for change and can have unexpected conflicts with existing systems. Working with your staff on
a “greenfield” pilot deployment provides ample opportunity for education and testing without impacting
business users. This pilot starts with a broad training session to educate your staff on the capabilities of
Microsoft's endpoint management suite. The following pilot implementation will cover deployment
methodology, securing endpoints, software deployment, and interoperability testing with your specific
environment. This pilot configuration will then easily roll into production at a pace that is comfortable for
your team, with adequate training to ensure they can expand and maintain the deployment with minimal
outside assistance.

CompuNet has worked diligently to prove our value and commitment to our Customers. We will continue
to strive to bring value, integrity, and a shared commitment to your goals. Thank you for the opportunity
to earn your business.

Project Overview
CompuNet will start with a technical overview of Microsoft’s cloud-based endpoint management tools. We
will then work with your team to configure a pilot deployment of cloud managed Windows endpoints. This
will include configuration and testing of:
 Blaine County
Modern Endpoint Management Pilot with Azure
AD and Intune

• Native Azure Active Directory join for authentication

• Autopilot deployment profile
• Baseline Windows Security policy
• Disk Encryption
• Host Firewall configuration
• Windows Update Rings configuration
• Software package deployment
• Device configuration profiles
• Device compliance profile

In addition to configuration items around Windows management, we will also cover basic configuration of
other Microsoft tools that frequently help support modern endpoint deployments:

• Mobile application management policy within Intune to limit data exposure when using Office apps
on mobile devices
• Microsoft Application Proxy to simplify access to internal web services without the need for
Customer VPN

Location
All work will be completed remotely.

Engagement Timeline
Project duration is expected to take up to 4 weeks. Project start date will be agreed upon in advance by
both Customer and CompuNet. Work schedule will be driven by the schedules and availability of critical
personnel.

SERVICE & DELIVERABLES

Phase 1: Project Kickoff
This initial meeting will serve to organize the project. We will cover:

• Review of project scope and objectives

• Mapping of project timelines, scheduling, and logistics
• Identification of key project team members
• Review of prerequisites and other preparation required, including system access (credentials)
• Verification of current Azure Active Directory Connect (AADC) configuration
• Review licensing required for features and functionality in this SOW
• Q&A
• Scheduling of technical training session

Phase 2: Technical Overview

 Blaine County
Modern Endpoint Management Pilot with Azure
AD and Intune

In this session, CompuNet will lead a 90-minute training session for staff to become familiar with
Microsoft's modern endpoint management tools and their capabilities. This training is technical in nature,
but applicable to most IT team members. Participation of multiple groups within IT is encouraged, even if
those users will not directly support endpoint management tools. Broad understanding of endpoint
management capabilities will help ensure a successful rollout. Questions and informal planning are
expected during this session as staff identify features that would like to see implemented in the pilot.

Phase 3: Desired State Planning

After the initial kickoff and technical review a dedicated session will be held to discuss desired
configurations to be applied in the pilot. This will serve as a time to discuss what configuration should be
replicated from traditional systems and what should be added or removed to support the new endpoint
management model. This is a technical session that usually involves review of current systems and
requires input from Customers team on challenges they would like to solve during the pilot. Common
topics to be covered include:

• Configuration items to be migrated from Group Policy

• Desired initial applications for deployment
• Unique environmental challenges
• Test cases to be reviewed during the pilot

Phase 4: Initial Configuration

CompuNet will guide staff through the initial configuration of desired policy over multiple working
sessions. Questions are encouraged as we work through this process so staff can manage and expand
upon the configuration deployed during the pilot. A testing workstation is needing during this phase to
validate settings as they are applied and allow for Customer to perform extended testing between
sessions. We will configure initial settings for:

• Methodology to join systems into Intune

• Azure Active Directory join for authentication
• Windows Autopilot
• Hello for Business
• Baseline Windows Security
• Disk Encryption
• Host Firewall
• Windows Update Rings
• Software package deployment
• Including Office applications and up to two additional Customer applications
• Device configuration
• Device compliance
• Overview of device wipe/reset
• Mobile Application Management (MAM)
• To control data exposure on mobile devices when using Microsoft applications
• Microsoft Application Proxy deployment for one internal web application (optional)
 Blaine County
Modern Endpoint Management Pilot with Azure
AD and Intune

Configuration is focused on best practice settings developed by CompuNet engineering with slight
adjustments for the specific environment. While not all features within Intune are covered, the pilot will
provide a solid foundational baseline that covers common use-cases.

Phase 5: Expanded Pilot Deployment

With initial configuration deployed and tested with a limited set of secondary devices the deployment will
be expanded to the actual pilot group of users. Generally, this will be IT staff or other technically savvy
users who can provide detailed feedback and work around any hurdles as the pilot is fine-tuned. It is
recommended that systems be re-imaged to ensure there are no conflicts with prior configurations, so
this step also acts as validation of backup and restore processes around user data. CompuNet will assist
to get systems onboarded and work through any issues as configurations are used in limited production
scope:

• Work with Customer to ensure user data can be migrated

• Deploy Configurations to test devices and users
• Additional devices will be added gradually as process is validated
• Not to exceed ten (10) total devices for pilot
• Ensure that enrollments and application management work in accordance with the capabilities of
Endpoint Manager
• Review steps to deploy policies to entire organization

Phase 6: Project Closeout

Once pilot devices are tested and working with initial configurations, CompuNet will lead a closeout
meeting to review any key details and answer any remaining questions.

• CompuNet review of any key notes or specific information related to Customer's environment
• Q&A session to cover any remaining topics
• Validation all success criteria have been met and project closeout

Customer Prerequisites
Customer is responsible for procuring appropriate licensing prior to project start.

• A license will be required for any user logging onto a managed workstation, specifically one of
these:
• Microsoft 365 E5
• Microsoft 365 E3
• Enterprise Mobility + Security E5
• Enterprise Mobility + Security E3
• Microsoft 365 Business Premium
• Microsoft 365 F1
• Microsoft 365 F3
• Microsoft 365 Government G5
 Blaine County
Modern Endpoint Management Pilot with Azure
AD and Intune

• Microsoft 365 Government G3

• Other licenses may be applicable but may reduce functionality and should be reviewed with
CompuNet.

Administrator access will be required to Customer's Azure AD tenant.

• This may be supervised access but granting temporary access to the CompuNet engineer as a
guest user is often helpful for troubleshooting during the project.
• Some setup may require Global Administrator privileges, but most actions can be performed by the
"Intune Administrator" role.

A functional Azure Active Directory tenant synced with on-premise Active Directory is required
prior to project kickoff.

• Azure AD Connect settings will be validated by CompuNet engineer during project kickoff.

Scripted installation files and procedure must be provided for any applications to be deployed
as part of the pilot.

• Typically, a MSI installer satisfies this requirement, but Customer is responsible for validating
deployment process with the application vendor.

Customer is responsible for user data migration strategy when moving systems to Intune
management.

• CompuNet strongly recommends deployment of OneDrive with common folder redirection prior to
pilot deployment.
• Basic support for ensuring OneDrive data is restored upon user login will be covered during
the project, but a broad deployment of OneDrive is outside the scope of this project.
• CompuNet will assist with developing a migration strategy, but deployment of data migration tools
on existing systems is outside the scope of this project.

Additional Technical Information

Microsoft Claiming Partner of Record (CPOR). CPOR is a Microsoft program for measuring partners’
effectiveness in helping organizations succeed with the deployment of Microsoft 365 services. A CPOR
association between your organization and CompuNet creates a distinct pairing that is different from your
CSP agreement. This program allows a Customer to work with multiple partners and associate to each
partner based on the workload through which they support that Customer.

This CPOR association is important to both your organization and CompuNet because it helps us maintain
our strong partnership with Microsoft through competencies and advanced specializations. CPOR then
provides CompuNet access to additional programs that allow us to better support you, our Customer.

CompuNet will request association as your Partner of Record during the kickoff phase for the Microsoft
365 workloads relevant to this engagement. Once our request is made you will receive an email from
Microsoft informing you of the association.

Additional Assumptions & Exclusions

 Blaine County
Modern Endpoint Management Pilot with Azure
AD and Intune

• This pilot is focused on a "greenfield" deployment of Microsoft endpoint management

tools on the Windows operating system. Alternative Intune configurations are possible
but may require modification of this scope of work, please speak with your CompuNet
account team if you have any additional use cases you would like to cover.
• The pilot is a deployment of a baseline best practices configuration developed by
CompuNet staff. The deployment will generally provide the knowledge for customer staff
to expand the initial pilot to additional use cases, but extensive customization or
multiple policy sets are outside the scope of this engagement.
• Successful project completion may not be based on the technical limitations of Intune.
• This project is limited to configuration of a single Azure AD domain and single instance of Intune.
• Any network and/or firewall configurations needed will be the responsibility of Customer.
• Intune makes use of Windows Delivery Optimization which requires some peer to peer
communication or specific configuration if strict firewall policy is in place
• https://learn.microsoft.com/en-us/windows/deployment/do/waas-delivery-optimization
• HTTP resume should not be blocked at the firewall
• Any Apple IDs, Google Play accounts, or certificates needed for the deployment are the
responsibility of Customer.
• Unless otherwise noted, each configuration category will be limited to a single best practices policy.
• All licensing needed to comply with Microsoft guidelines is the sole responsibility of Customer.
• This project assumes a "greenfield" deployment in parallel to traditional endpoint management.
• Hybrid management options exist for Intune and may be discussed but are not recommended
due to policy conflicts.
• Any troubleshooting related to hybrid deployment models is outside the scope of this project.

Maintenance Requiring Change Management

This project targets a "greenfield" deployment in parallel to existing endpoint management tools. Most
work will be non-disruptive to the user environment and Azure AD tenant. If existing systems are
migrated to Intune management as part of the pilot, it may be necessary to re-install Windows on those
systems which will require a planned outage for any users of that particular workstation. Any outages or
possible disruptions will be planned with Customer.
 Blaine County
Modern Endpoint Management Pilot with Azure
AD and Intune

PROJECT MANAGEMENT
The Project Manager shall provide the following services:

• Project Initiation - The Project Management team will coordinate a kick-off call to commence the
project
• Project Planning - The Project Management team will develop project planning documents
including timelines, tasks, resource assignments
• Project Management - The Project Management team will manage the project in accordance with
the CompuNet Project Methodology and Framework
• Project Closure - The Project Management team will create project acceptance documentation to
be signed upon completion of the project

PROFESSIONAL FEES
Pricing for the proposed scope of work is as follows:

Service Fees Extended Amount

Total Service Fees $10,000.00

This is a fixed - fee engagement.

Travel & Expenses

CompuNet, Inc. will not bill Customer for expenses in conjunction with this Statement of Work.

Amendments
This SOW may only be changed by a written amendment executed by an authorized representative of
each party. The amendment must expressly refer to the SOW being amended; no amendment is binding
or effective until it is completed by an authorized officer of each party as provided herein.
 Blaine County
Modern Endpoint Management Pilot with Azure
AD and Intune

COMPUNET TEAM & RESPONSIBILITIES

The following contractor resources will be dedicated to this project:

Randy Elsethagen
Senior Account Executive
(208) 562-4720
randyelsethagen@compunet.biz

Brett Sower
Solutions Engineer
(208) 813-3194
bsower@compunet.biz

Adam Eldred
Solutions Architect
(208) 813-3228
aeldred@compunet.biz

Bob Prahl
Project Manager
(208) 488-7264
bprahl@compunet.biz
 Blaine County
Modern Endpoint Management Pilot with Azure
AD and Intune

CUSTOMER ACCEPTANCE
Pricing is effective if Statement of Work is signed by 02/11/2023.

Customer authorizes CompuNet to deliver consulting services under the terms defined in this Statement
of Work. In addition, you hereby represent that the signatory below is duly authorized to execute this
Agreement on Customer's behalf. The Effective Date of the Agreement is the date of last signature below.

For: For:
Blaine County CompuNet, Inc.
By: By:

Name: Name:

Title: Title:

Date Signed: Date Signed:

Notice Address: Notice Address:

Blaine County IT 1111 S. Silverstone Way, Suite 200
219 S. 1st Ave, Ste 207 Meridian, ID 83642
Hailey, ID 83333

Customer PO: Attn: Tom McFarlin

 Blaine County
Modern Endpoint Management Pilot with Azure
AD and Intune

APPENDIX A: TERMS & CONDITIONS

• CompuNet will require access to facilities and Customer owned network equipment on an "as
needed" basis and during regular business hours only. Should access be needed outside of standard
business hours, prior arrangements must be made with both a CompuNet associate and the
Customer.
• Time and expense work is billed on a monthly basis for the actual hours and expenses incurred.
• CompuNet contract services invoiced as Net 30 unless other arrangements are agreed upon prior to
sign off of this contract.
• CompuNet will make prior arrangements with the appropriate Customer IT onsite staff to be
available as needed during the installation.
• CompuNet provides appropriate personnel to perform the services specified in the Project Scope
section above.
• Customer will designate a single point of contact (Project Manager) for all matters relating to this
engagement.
• Customer will provide required access to facilities and network equipment, both physical and
remote, as needed for a successful engagement by the CompuNet engineer.
• Customer will provide all existing configurations and pertinent network diagrams prior to
installation.
• Services to be performed during normal business hours (8:00 AM to 5:00 PM, local time), Mon - Fri,
unless Customer policies require off-hours deployment, in which case such time will be scheduled
with CompuNet engineer.
• Custom configuration work and training can be provided outside the scope of this engagement on a
time & expense basis.
• Training and shadowing will be provided to assigned Customer IT staff during implementation
process.
• Upon project completion, Customer sign off is required to indicate acceptance that the scope of
work has been completed.
• Any additions or changes to this Statement of Work must be mutually agreed upon by CompuNet
and Customer in a separate CompuNet Statement of Work detailing the proposed changes, the
impact of the proposed change on pricing and schedule, and other relevant terms. Depending on
the scope of such additions or changes, Customer may be required to agree to CompuNet's then-
current standard terms and conditions for professional services. Such changes include, but are not
limited to:
• Any additional hardware configuration not listed in this document.
• Modification of the Customer's application software.
• Development of custom solutions including scripting.