Microsoft Intune is a mobile device management (MDM) and mobile application management (MAM) provider for all digital devices, including mobile phones, tablets and laptops and other mobile devices. Windows 10, Windows 11, macOS, Android and Apple iOS are all supported by Microsoft Intune – a cloud-based service which allows you ultimate control in how your organisation’s devices are used daily in the workplace.
Intune is part of a Microsoft package – Enterprise Mobile + Security (EMS) suite. It can natively integrate with the full suite of Microsoft 365 products, including Azure Active Directory (Azure AD), and can allow control over access (who and what users can access) as well as Azure Information Protection (AIP), and providing data protection.
Intune allows you to control applications using specific policies, such as preventing access to your office 365 applications unless using a company device, or even enforcing password policies on mobile phones. You can deploy apps such as Office 365, Microsoft Teams, OneDrive as customised apps to devices.
One of the great features of Intune is controlling how users access company data on personal devices. This ensures all company data stays protected and separate from personal data.
There are endless opportunities and possibilities using Intune. A few key features are:
Microsoft Intune is a cloud-based service which allows you to remotely manage mobile devices and mobile applications. This allows you to have a super effective and productive mobile workforce, without the worry of your company’s data being compromised.
Below is a high-level diagram of the Microsoft Intune architecture. As you can see, the three main areas are configuring devices, protecting data, and managing apps. One thing to note, is even though Intune is a cloud-based product, it can also hook in to Configuration Manager to control your domain-joined devices are already enrolled into Configuration Manager on-premises.
The common practices of ways to use Microsoft Intune:
With Intune, you aren’t restricted to corporate devices. Intune gives you the flexibility of issuing corporate devices or allowing employees to use their personal devices too – by registering, enrolling, and managing their devices and then installing corporate applications from the Company Portal.
Intune allows you to manage devices using an approach which is right for the company. As touched upon previously, you may require full control over your organisation-owned devices – covering settings, features and security. This requires the device and users to “enrol” into Intune. This can be an automatic, or manual process which I will expand on in greater depth in this blog. Essentially, once enrolled, they will receive settings and controls through policies configured in Intune for the organisation. This could include settings such as enforcing BitLocker encryption or a password policy.
The alternative approach is for personal or bring-your-own devices (BYOD) where users may not want you to have full control of their devices. This is where you and the end-user have two options:
Devices which are enrolled into Intune give administrators the ability to view a list of devices and pull an inventory for them. From there, they can:
As mentioned earlier in this blog, Microsoft Intune integrates with several other Microsoft services allowing you to fully secure your corporate data.
Intune integrates with Azure Active Directory for access control and Azure Information Protection and also with the Microsoft Office suite of products. This enables you to remotely deploy apps such as Outlook for specific devices or specific users and control how these apps work if users access company data on their personal devices with app policies. For example, you can prevent users from copying text from a company app and into a personal app on their personal device. There are so many options here, but it allows you to really build a governance plan
One of the major benefits of using Intune to manage your devices is the fact it’s cloud-based, thus removing the need for any on-premises infrastructure. This eliminates the need to plan, purchase and maintain any on-premises equipment. This could be a huge cost-saving area benefit.
There are a few ways to add Intune licenses which I will cover later in this article, but what’s great is you can license the user instead of the device! This avoids the endless task of counting devices, and the Microsoft Intune cost might be £0 if you already subscribe to another service. Like most of the other M365 products, you can also choose to license users monthly or yearly.
To use the mobile device management (MDM), your devices need to be enrolled into Intune. Once a device is enrolled, it’s issued an MDM certificate. This is used to communicate between the Intune service and the device. There are several methods to enrol devices and they are different depending on the type of device (Windows, macOS, iOS, Android), the device ownership (corporate or personal), and the management requirements (resets, locking).
More information can be found here: https://docs.microsoft.com/en-us/mem/intune/enrollment/device-enrollment
So, we know in order to manage any device, it needs to be enrolled into Intune. This is a manual process, but it can be automated depending on the current state of the device.
Windows 10 devices which are Hybrid Azure AD-joined can be automatically enrolled into Intune by configuring a group policy object (GPO) on the on-premises domain which targets the OU you want the member devices to enrol in Intune.
Azure Active Directory can be configured so any devices which are Azure AD-joined are auto-enrolled into Intune as well. This is simply a setting within the Mobility (MDM and MAM) section within your Azure AD admin center. User groups can be targeted, or the scope can be set to All. I would recommend multi-factor authentication is enabled for anyone who is registering a device.
To simplify enrolment without an Azure AD Premium subscription, you can create a DNS (domain name system) alias (CNAME record) which redirects enrolment requests to Microsoft’s Intune servers. Without this, users will have to manually type in the Intune server names during enrollment.
Note – this would need to be configured on each domain you have registered within your M365 tenant if you are using it for Intune. Once the DNS records are in place you can verify them within the Intune admin center.
Windows Autopilot can be used to deploy Windows PCs. It is a collection of technologies used to pre-configure new devices before production use. Autopilot can also reset, repurpose, and recover devices. This can all be achieved remotely with little to no infrastructure with a very simple and easy process.
A troublesome device can be wiped, reconfigured and ready to go within an hour in the comfort of someone’s home without the need of any physical support from the IT team, therefore simplifying the device lifecycle for both IT and end users.
When new devices are deployed, Windows Autopilot users the OEM-optimised version of Windows client. This is pre-installed on the device so there is no need for any custom images and the device can be shipped directly to the end user. The device can be transformed into a business-ready state.
Once deployed, you can manage the Windows device using Microsoft Intune.
To avoid any issues when initially installing the application, app configuration policies can be utilised. This helps by assigning configuration settings to an end-user assigned policy prior to setup. These settings are then automatically supplied when the app is configured on the end-user’s device – leaving no outstanding actions for end-users. These configuration settings are unique to each user and for each app.
Configuration policies can be created and implemented to provide configuration settings for both Android and iOS/iPad OS apps alike. These configuration settings allow full app customisation by app management and configuration. Typically, these configuration policy settings are actioned when the app is run for the very first time (when the app checks for these settings).
App configuration settings may require the following:
App configuration policies are important and eliminate the potential of error if end users were to enter these settings themselves. They can also help to provide consistency across your organisation, reducing the need for helpdesk calls, and ensuring the greatest efficiencies. By using app configuration policies, new app installations can be easier and quicker, and processes more efficient.
Configuration parameters (and the implementation of these which are available) are set by app developers and creators. Always remember to seek validation in the form of legal documentation from these application vendors to ensure all configurations are available, and how these may potentially impact the application.
For some applications, Intune will populate the available configuration settings.
App configuration policies can be assigned to groups of end-users and devices by using a combination of include and exclude assignments. Once and app configuration policy has been added, you can set the assignments to the policy. When setting assignments, you have the option to include and exclude groups of end-users for which the policy applies to. You can then choose to include one or more groups of end-users or devices.
App protection policies (APP) are rules which guarantee your company’s data is contained in a managed app and ensure it remains safe. A policy can be a set of actions which are restricted or monitored when the user is inside the app, or a policy could be a rule which comes into effect when a user tries to move or access corporate data and prevents them from doing so.
Mobile Application Management (MAM) app protection policies allow you to control your company data within your applications. Many Microsoft and third-party apps are supported and can be managed by Intune MAM. The official list can be found here: https://docs.microsoft.com/en-us/mem/intune/apps/apps-supported-intune-apps
The benefit of controlling and protecting your applications with Intune is you have remote control over your apps and data. There are 3 ways you can wipe app data from Intune:
MAM selective wipe removed any company data from the app. When a user is using an app, a request is sent every 30 minutes to the Intune service. This check is also carried out whenever the user first launches the app and signs in with their work or school account.
Full device wipe does what is says on the tin – removes all settings and user data from the device by resetting the device to factory defaults. The device is then removed from Intune.
MDM selective wipe removes any company data from the device. This is generally used for personally owned devices when retiring them from Intune but without needed to wipe the entire device due to personal data. There are a lot of things to think about with this option such as what type of device you are talking about so more information can be found here: https://docs.microsoft.com/en-us/mem/intune/remote-actions/devices-wipe
Intune also offers integration with TeamViewer, which is an exclusive partnership. This allows further remote control and support capabilities to multiple platforms such as Windows, MacOS, iOS and Android devices. You can even go as far as gaining remote access to point of sale (POS) systems, kiosks, and digital signage. It is very easy to configure as there is a pre-built TeamViewer Connector within Intune ready for activation.
By using TeamViewer, you can leverage real-time sharing to view issues and fix devices with minimal downtime or disruption. All data is end-to-end encrypted and not even TeamViewer can read the data in transit or at rest.
Microsoft offers two ways to handle mobile device management (MDM). MDM for Office 365 and Intune. MDM for Office 365 is a lightweight version of MDM which doesn’t include mobile application management (MAM). It does allow you to enforce MDM policies and settings, which will help control access to Office 365 data for supported devices and also remotely wiping devices to remove any company data.
It is also included in most Office 365 subscriptions, whereas Intune might be in a pricier subscription. The main configuration capabilities are somewhat limited and there are no deployment functions or abilities to wipe apps remotely.
Microsoft Endpoint Configuration Manager, previously known as Microsoft System Center Configuration Manager (SCCM), is now part of Microsoft Endpoint Manager (MEM). Configuration Manager has been around for many years and is widely used in hundreds of thousands of companies. It is an on-premises solution which is fairly complex to set up and requires a lot of maintenance. Intune gives you the ability to move away from your on-premises infrastructure, or to co-manage your devices by using Config Managed in conjunction with Intune.
I wouldn’t say Intune is a directly replacement for Endpoint Manager. Intune doesn’t allow you to deploy images as it is designed around the modern workplace where images are being phased out and configuring devices out of the box with deployment profiles is becoming the new way of working. Why deploy a bulky image when you can configure the one already on your device and deploy the relevant apps?!
Workspace One, previously known as AirWatch, was rebranded in 2018 by VMware. Many organisations are migrating their devices to Intune as it’s part of the Microsoft 365 ecosystem therefore reducing costs and simplifying the management of devices and users.
You may be familiar with Group Policy Objects (GPO) if you’ve supported an on-premises infrastructure. GPOs don’t exist in Azure or Intune. Intune has something called Configuration Profiles which do a very similar thing. They allow you to control devices or users using a set of policies. I have written another blog which goes into more detail around Group Policy analytics in Microsoft Endpoint Manager.
There is no specific certification for Microsoft Intune, as Microsoft now aim for around role-based certifications, although there are few certifications which cover Intune in the topics though such as:
Microsoft Intune is included in many subscriptions, so you may already be paying for it, but it is also available as a stand-alone subscription.
Intune is included in the following M365 subscriptions:
Microsoft also offers a device-only subscription service for Intune, which allows you to manage devices which aren’t affiliated to specific users (if this is needed).
I hope this blog has been informative and answered any questions on Intune and explained the positive outcomes it can bring to your organisations. It is such a huge product, one which is constantly evolving and growing.
Remember, Insentra can also help with all your Intune queries and more! Get in touch today with one of our friendly experts.
How do you get Intune? You can try Intune for free.
Uncover vulnerabilities, enhance security with Insentra's Zero Trust Assessment.
Imagine a business which exists to help IT Partners & Vendors grow and thrive.
Insentra is a 100% channel business. This means we provide a range of Advisory, Professional and Managed IT services exclusively for and through our Partners.
Our #PartnerObsessed business model achieves powerful results for our Partners and their Clients with our crew’s deep expertise and specialised knowledge.
We love what we do and are driven by a relentless determination to deliver exceptional service excellence.
SYDNEY, WEDNESDAY 20TH APRIL 2022 – We are proud to announce that Insentra has achieved the ISO 27001 Certification.