Intune was born as Microsoft’s Cloud based Mobile Device Management platform. Since then, it has grown into a management platform for both mobile devices and P.C.s. Intune can now manage iPhone, Android, Windows Phone, and some versions of Windows. It’s clear that Microsoft intends to grow Intune into a complete cloud-based device management platform.
The process of planning for an Intune roll out can be difficult. The features and functionality within Intune are ever evolving, so knowing how to deploy Intune effectively takes some studying. In this blog post, we’ll provide an introduction into Intune's current capabilities. We will test out what Intune can do to make your data more secure in a “Cloud First, Mobile First” world.
What is Intune?
The acronyms seem nearly endless, don’t they? Mobile Device Management (MDM), Enterprise Mobility Management (EMM), and Mobile Application Management (MAM) are three of the more popular acronyms you’ll see describing what Intune is. Each describes some of the functionality available within Intune, and I see them all used in this space. Whatever the acronym we use, there are three main areas of functionality that Intune currently provides.
Intune manages devices your organization’s workforce uses to access company data
Intune manages the mobile applications your organization’s workforce uses to access company data
Intune verifies that devices and applications are compliant with your organization’s security policies
Intune is design around the idea that an organization’s workforce needs access to company data around the clock from anywhere and on any device. The modern workforce uses a lot of devices, and most of them tend to be brought from home. Intune gives organizations a way to manage those devices and how they are used to access organizational data.
It’s important to note that Intune is intentionally integrated tightly with the rest of the Enterprise Mobility + Security (EM+S) suite. You’ll quickly find that Intune licenses alone will limit your organization’s management options. I use the EM+S E5 license in my tenant. While this nearly doubles the price of an Office 365 E3 license, the features and functionality provided are impressive.
Device Management vs. Application Management?
When planning for deploying Intune, I find it’s important to understand the difference between device management and app management. Keep the difference clear in your head will save you lots of time and effort when defining your Intune policies.
Device Management Policies Cover:
Reporting on devices and measuring device compliance
Removing organizational data from devices
Application Management Policies Cover:
Assigning mobile applications to employees
Controlling how organizational data is used
Removing organizational data from applications
Reporting and tracking application usage
If we go back to EM+S, there are additional security features that are added from other parts of that stack. When an application is managed though other EM+S features as well as Intune you gain additional features like:
Isolation of personal data from organizational data within an application
Application based conditional access
Rights management support
What Devices Does Intune Manage?
While planning your Intune deployment it’s important to understand what devices Intune can manage. Intune manages phones, tablets, and computers.
Android 4.4 and later devices
iOS 9.0 and later devices
Windows Phone 8.1, and Windows 8.1 RT, Windows 10 Mobile
MAC OS X 10.11 and later
Windows 8.1 (sustaining mode)
Intune With & Without Device Enrollment
Most of the functionality within Intune is going to require installing the Company Portal application on the managed device, but there are still some benefits that can be gained without that requirement.
Features Without Enrollment Provided by Intune Include:
Remote wipe some protected data.
These features can be very useful for situations where BYOD devices cannot be required to enroll. I’ve also seen customers use some of the features as an introduction to Intune while in the process of moving away from another MDM solution.
Putting It All Together
Moving to a cloud-based IT infrastructure can be challenging for many reasons. Customers often feel like they are losing control over their organization’s data to some extent during this process. Microsoft is very focused on making the data more available to in as many ways as they can.
Adding Intune to your Microsoft cloud stack gives organization’s the ability to control end-user’s BYOD devices, and how they use those devices to access organizational data. Before you can plan your Intune deployment, you need to understand the capabilities of this product. Customers are rightfully confused by the wide range of features spread out across the EM+S stack, so it’s worthwhile to make sure you understand what you’re getting with the licenses you purchase.
Nathan O'Bryan MCSM
Nathan is a five time former Microsoft MVP and he specializes in Exchange, Microsoft 365, Active Directory, and cloud identity and security.
Hybrid Headache: Hybrid mailbox moves and the “expect 100-continue” header