Nick Thomas - 27.04.202220220427

The Ultimate Guide to Microsoft Intune

Table of Contents


Microsoft Intune basics 

Microsoft Intune is a mobile device management (MDM) and mobile application management (MAM) provider for all digital devices, including mobile phones, tablets and laptops and other mobile devices. Windows 10, Windows 11, macOS, Android and Apple iOS are all supported by Microsoft Intune – a cloud-based service that allows you ultimate control in how your organisation’s devices are used daily in the workplace. 

Intune is part of a Microsoft package – Enterprise Mobile + Security (EMS) suite. It can natively integrate with the full suite of Microsoft 365 products, including Azure Active Directory (Azure AD), and can allow control over access (who and what users can access) as well as Azure Information Protection (AIP), and providing data protection. 

What does Microsoft Intune do? 

Intune allows you to control applications using specific policies, such as preventing access to your office 365 applications unless using a company device, or even enforcing password policies on mobile phones. You can deploy apps such as Office 365, Microsoft Teams, OneDrive as customised apps to devices. 

One of the great features of Intune is controlling how users access company data on personal devices. This ensures that all company data stays protected and separate from personal data. 

There are endless opportunities and possibilities using Intune. A few key features are:  

  • Choose to be 100% cloud with Intune, or be co-managed with Configuration Manager and Intune together 
  • Secure your company information by controlling the way users access and share information 
  • Set policies and configure settings on personal and organization-owned devices to access data and networks 
  • Deploy and authenticate apps on devices 
  • Manage your devices making sure they are compliant with your security requirements 
  • Manage your apps ensuring that they comply with security requirements 

How does Microsoft Intune work? 

Microsoft Intune is a cloud-based service that allows you to remotely manage mobile devices and mobile applications. This allows you to have a super effective and productive mobile workforce, without the worry of your company’s data being compromised. 

Below is a high-level diagram of the Microsoft Intune architecture. As you can see, the three main areas are configuring devices, protecting data, and managing apps. One thing to note, is even though Intune is a cloud-based product, it can also hook in to Configuration Manager to control your domain-joined devices that are already enrolled into Configuration Manager on premises. 

How to use Microsoft Intune 

The common practices of ways to use Microsoft Intune: 

  • Protecting your on-premises email and data so it can be accessed by devices safely 
  • Protecting your Microsoft 365 email and data so it can be accessed by devices safely 
  • Offering a ‘bring your own device’ (BYOD) programme to all employees 
  • Issue corporate-owned devices such as laptops, tablets and phones to employees 


Device choice & customization 

With Intune, you aren’t restricted to corporate devices. Intune gives you the flexibility of issuing corporate devices or allowing employees to use their personal devices too – by registering, enrolling, and managing their devices and then installing corporate applications from the Company Portal. 

Mobile & PC device management 

Intune allows you to manage devices using an approach that’s right for the company. As touched upon previously, you may require full control over your organization-owned devices – covering settings, features and security. This requires the device and users to “enroll” into Intune. This can be an automatic, or manual process which I will expand on in greater depth in this blog. Essentially, once enrolled, they will receive settings and controls through policies configured in Intune for the organisation. This could include settings such as enforcing BitLocker encryption or a password policy. 

The alternative approach is for personal or bring-your-own devices (BYOD) where users may not want you to have full control of their devices. This is where you and the end-user have two options: 

  • Enroll the device so the user has full access to company resources 
  • Use app protection policies that enforce MFA to only access company apps such as email, SharePoint, or Teams 

Access to corporate resources 

Devices that are enrolled into Intune give administrators the ability to view a list of devices and pull an inventory for them. From there, they can: 

  • Configure devices to ensure they meet the company’s security and health standards. For example, you may require devices to be encrypted 
  • Deploy certificates to allow devices to connect to Wi-Fi networks or VPNs  
  • Pull reports on device compliance and users 
  • Wipe devices or remove data from the device 

Data protection 

As mentioned earlier in this blog, Microsoft Intune integrates with several other Microsoft services allowing you to fully secure your corporate data. 

Intune integrates with Azure Active Directory for access control and Azure Information Protection and also with the Microsoft Office suite of products. This enables you to remotely deploy apps such as Outlook for specific devices or specific users and control how these apps work if users access company data on their personal devices with app policies. For example, you can prevent users from copying text from a company app and into a personal app on their personal device. There are so many options here, but it allows you to really build a governance plan.

Managed in the cloud 

One of the major benefits of using Intune to manage your devices is the fact it’s cloud-based, thus removing the need for any on-premises infrastructure. This eliminates the need to plan, purchase and maintain any on-premises equipment. This could be a huge cost-saving area benefit. 

Flexible pricing plans 

There are a few ways to add Intune licenses which I will cover later in this article, but what’s great is that you can license the user instead of the device! This avoids the endless task of counting devices, and the Microsoft Intune cost might be £0 if you already subscribe to another service. Like most of the other M365 products, you can also choose to license users monthly or yearly. 


What is device enrollment? 

To use the mobile device management (MDM), your devices need to be enrolled into Intune. Once a device is enrolled, it’s issued an MDM certificate. This is used to communicate between the Intune service and the device. There are several methods to enroll devices and they are different depending on the type of device (Windows, macOS, iOS, Android), the device ownership (corporate or personal), and the management requirements (resets, locking).  

More information can be found here:  

Automatic enrolment 

So, we know that to manage any device it needs to be enrolled into Intune. This is a manual process, but it can be automated depending on the current state of the device. 

Windows 10 devices that are Hybrid Azure AD-joined can be automatically enrolled into Intune by configuring a group policy object (GPO) on the on-premises domain that targets the OU that you want the member devices to enroll in Intune. 

Azure Active Directory can be configured so that any devices that are Azure AD-joined are auto-enrolled into Intune as well. This is simply a setting within the Mobility (MDM and MAM) section within your Azure AD admin center. User groups can be targeted, or the scope can be set to All. I would recommend multi-factor authentication is enabled for anyone that is registering a device.  

CNAME registration 

To simplify enrollment without an Azure AD Premium subscription you can create a DNS (domain name system) alias (CNAME record) that redirects enrollment requests to Microsoft’s Intune servers. Without this, users will have to manually type in the Intune server names during enrollment.  

Note – this would need to be configured on each domain that you have registered within your M365 tenant if you are using it for Intune. Once the DNS records are in place you can verify them within the Intune admin center.  

Windows autopilot configuration 

Windows Autopilot can be used to deploy Windows PCs. It is a collection of technologies used to pre-configure new devices before production use. Autopilot can also reset, repurpose, and recover devices. This can all be achieved remotely with little to no infrastructure with a very simple and easy process. 

A troublesome device can be wiped, reconfigured and ready to go within an hour in the comfort of someone’s home without the need of any physical support from the IT team, therefore simplifying the device lifecycle for both IT and end users. 

When new devices are deployed, Windows Autopilot users the OEM-optimised version of Windows client. This is pre-installed on the device so there is no need for any custom images and the device can be shipped directly to the end user. The device can be transformed into a business-ready state. 

Once deployed, you can manage the Windows device using Microsoft Intune. 


App configuration 

To avoid any issues when initially installing the application, app configuration policies can be utilised. This helps by assigning configuration settings to an end-user assigned policy prior to setup. These settings are then automatically supplied when the app is configured on the end-user’s device – leaving no outstanding actions for end-users. These configuration settings are unique to each user and for each app. 

Configuration policies can be created and implemented to provide configuration settings for both Android and iOS/iPadOS apps alike. These configuration settings allow full app customization by app management and configuration. Typically, these configuration policy settings are actioned when the app is run for the very first time (when the app checks for these settings). 

App configuration settings may require the following: 

  • Language settings 
  • Security settings 
  • Custom port 
  • Brand and company logo settings  

App configuration policies are important and eliminate the potential of error if end users were to enter these settings themselves. They can also help to provide consistency across your organisation, reducing the need for helpdesk calls, and ensuring the greatest efficiencies. By using app configuration policies, new app installations can be easier and quicker, and processes more efficient. 

Configuration parameters (and the implementation of these that are available) are set by app developers and creators. Always remember to seek validation in the form of legal documentation from these application vendors to ensure all configurations are available, and how these may potentially impact the application.  

For some applications, Intune will populate the available configuration settings. 

Assigning groups 

App configuration policies can be assigned to groups of end-users and devices by using a combination of include and exclude assignments. Once and app configuration policy has been added, you can set the assignments to that policy. When setting assignments, you have the option to include and exclude groups of end-users for which the policy applies to. You can then choose to include one or more groups of end-users or devices. 

Protection policies 

App protection policies (APP) are rules that make sure your company’s data is contained in a managed app or that it remains safe. A policy can be a set of actions that are restricted or monitored when the user is inside that app, or a policy could be a rule that comes into effect when a user tries to move or access corporate data and prevents them from doing so.  

Mobile Application Management (MAM) app protection policies allow you to control your company data within your applications. Many Microsoft and third-party apps are supported and can be managed by Intune MAM. The official list can be found here:  

Remote access 

The benefit of controlling and protecting your applications with Intune is that you can remote control over your apps and data. There are 3 ways you can wipe app data from Intune: 

  • MAM selective wipe 
  • Full device wipe 
  • MDM selective wipe  

MAM selective wipe removed any company data from the app. When a user is using an app, a request is sent every 30 minutes to the Intune service. This check is also carried out whenever the user first launches the app and signs in with their work or school account. 

Full device wipe does what is says on the tin – removes all settings and user data from the device by resetting the device to factory defaults. The device is then removed from Intune. 

MDM selective wipe removes any company data from the device. This is generally used for personally owned devices when retiring them from Intune but without needed to wipe the entire device due to personal data. There are a lot of things to think about with this option such as what type of device you are talking about so more information can be found here:  

Intune also offers integration with TeamViewer, which is an exclusive partnership. This allows further remote control and support capabilities to multiple platforms such as Windows, MacOS, iOS and Android devices. You can even go as far as gaining remote access to point of sale (POS) systems, kiosks, and digital signage. It is very easy to configure as there is a pre-built TeamViewer Connector within Intune ready for activation.  

By using TeamViewer, you can leverage real-time sharing to view issues and fix devices with minimal downtime or disruption. All data is end-to-end encrypted and not even TeamViewer can read the data in transit or at rest. 


Microsoft MDM vs Intune 

Microsoft offers two ways to handle mobile device management (MDM). MDM for Office 365 and Intune. MDM for Office 365 is a lightweight version of MDM that doesn’t include mobile application management (MAM). It does allow you to enforce MDM policies and settings that will help control access to Office 365 data for supported devices and also remotely wiping devices to remove any company data. 

It is also included in most Office 365 subscriptions, whereas Intune might be in a pricier subscription. The main configuration capabilities are somewhat limited and there are no deployment functions or abilities to wipe apps remotely. 

Endpoint manager vs Intune 

Microsoft Endpoint Configuration Manager, previously known as Microsoft System Center Configuration Manager (SCCM), is now part of Microsoft Endpoint Manager (MEM). Configuration Manager has been around for many years, and is widely used in hundreds of thousands of companies. It is an on-premises solution that is fairly complex to set up and requires a lot of maintenance. Intune gives you the ability to move away from your on-premises infrastructure, or to co-manage your devices by using Config Managed in conjunction with Intune. 

I wouldn’t say that Intune is a directly replacement for Endpoint Manager. Intune doesn’t allow you to deploy images as it is designed around the modern workplace where images are being phased out and configuring devices out of the box with deployment profiles is becoming the new way of working. Why deploy a bulky image when you can configure the one already on your device and deploy the relevant apps?! 

Intune vs Workspace One 

Workspace One, previously known as AirWatch, which was rebranded in 2018 by VMware. Many organisations are migrating their devices to Intune as it’s part of the Microsoft 365 ecosystem therefore reducing costs and simplifying management of devices and users.  

GPO vs Intune 

You may be familiar with Group Policy Objects (GPO) if you’ve supported an on-premises infrastructure. GPOs don’t exist in Azure or Intune. Intune has something called Configuration Profiles that do a very similar thing. They allow you to control devices or users using a set of policies. I have written another blog which goes into more detail around Group Policy analytics in Microsoft Endpoint Manager.  


There is no specific certification for Microsoft Intune, as Microsoft now aim for around role-based certifications, although there are few certifications that cover Intune in the topics though such as: 

  • Microsoft 365 Certified: Modern Desktop Administrator Associate 
  • Microsoft 365 Certified: Enterprise Administrator Expert 


Microsoft Intune is included in many subscriptions, so you may already be paying for it, but it is also available as a stand-alone subscription. 

Intune is included in the following M365 subscriptions: 

  • Microsoft 365 Business Premium 
  • Microsoft 365 E3 
  • Microsoft 365 E5 
  • Microsoft Enterprise Mobility + Security (EMS) 
  • Microsoft 365 Education A1 (Intune for Education) 
  • Microsoft 365 Education A3 (Intune for Education) 
  • Microsoft 365 Education A5 (Intune for Education) 

Microsoft also offer a device-only subscription service for Intune, that allows you to manage devices that aren’t affiliated to specific users, if this is needed.  


I hope this blog has been informative and answered any questions on Intune and explained the positive outcomes it can bring to your organisations. It is such a huge product, that is constantly evolving and growing. Remember, Insentra can help with all your Intune queries and more! Get in touch today with one of our friendly team.  

How do you get Intune? You can try Intune for free

Join the Insentra Community with the Insentragram Newsletter

Hungry for more?