Microsoft Intune is a mobile device management solution in the cloud. Read here what Intune is exactly and what possibilities it offers. […]
Intune offers companies and especially the IT department various applications to centrally administer the existing end devices in circulation and also to bring future devices into a managed deployment. Intune itself offers the integration of the following platforms: Windows 10, iOS, iPadOS and macOS devices, Android Enterprise.
In the Windows 10 environment, Intune enables devices to be connected exclusively via the cloud (Azure AD Joined). The alternative is a connection in a hybrid context in connection with a local DC and Active Directory, here one speaks of Hybrid Azure AD Joined devices.
An interaction of the Apple Business or Apple Schools Manager for iOS devices is possible, as well as the use of the managed Google Play and the Zero Touch deployment. The integration can also be implemented in a bring-your-own-device scenario by including private end devices in the corporate administration. Across all platforms, Intune allows you to configure and restrict, control updates, and set up app deployment.
Intune does not differ much in its basic functionalities from other mobile device management solutions, but offers very interesting possibilities, among other things, through the AutoPilot service or the evaluation of local group policies. Let’s take a closer look at the possibilities of Windows AutoPilot. We also come to the biggest difference compared to other providers: The device can be deployed directly at the end user.
The usually common way that a device is ordered from the hardware supplier, then goes to the IT department and is refueled there with an image is eliminated. Of course, Intune must also adapt the Windows client according to the given guidelines and applications, but Intune uses the Windows operating system already installed on the end device. Thus, there is no complete reinstallation, but rather a (large) adaptation of the existing OS. This adaptation then no longer necessarily has to take place within the company.
In times of home office and remote work, the client can be sent home to the user. The user unpacks the device, connects it to the home and logs in with his business mail address. Once this is done, the device will begin to go into AutoPilot mode. The following graphic illustrates the process very well:
Using Windows AutoPilot (c) Microsoft
Depending on the platform, Intune operates a different set of policies that can be applied through the Endpoint Manager Admin Center. The guidelines are used to adapt the device to the company’s compliance and security requirements. The following applications can be covered:
- Setting up a Password Preset
- Disabling Location Services
- Setting the BitLocker settings
- Lock screenshot functionality on Android or iOS
- Use of WLAN profiles
The policies set can either be set up purely on an Intune basis, be co-managed with the Center, or be seen as complementary to local group policies. In addition to configuration guidelines, applications can be provided as mandatory or optional. Applications from the respective store of Google, Apple or Microsoft can be used. But it is also possible to integrate MSI files or Win32 apps into Intune. The display of dependencies between the apps for the installation order is currently still in the preview phase, but should be integrated as standard in the future.
The Microsoft Intune MDM is extended by the client management, in which we activate connectors to third parties in the firewall area or TeamViewer for remote support. Here is also the platform idea at Microsoft: There is the possibility to control the Windows Defender via Intune and thus it is not mandatory to rely on a third-party provider, where we would have another administration interface and of course a separate cost block.
The MDM also offers the possibility to create a reporting about the devices and applications currently in the system. Each terminal is subject to an inventory when integrated into Intune, which gives the IT administrator an overview of the entire landscape. If necessary, this reporting can also be integrated into a Power BI for a personalized overview.
Microsoft Intune is in the SaaS environment, which eliminates the need to directly set up Intune and the Microsoft Endpoint Manager Admin Center. Once the appropriate license is ordered, the MDM solution is automatically deployed.
Rather, depending on the use case, an administration and setup must be carried out within the Intune, for example to use the Windows AutoPilot service or to control the Windows update rings.
In terms of licenses and prices, the strong link to the Microsoft 365 Suite is once again evident. Intune is part of the following licenses:
- Microsoft 365 E3/E5
- Microsoft 365
- Enterprise Mobility + Security E3/E5
- Enterprise Mobility + Security E3
- Microsoft 365 Business Premium
- Microsoft 365
- Microsoft 365 Government G3/G5
- Microsoft 365 Education A3/A5
As a result, Intune does not incur any separate costs, but is included in the price of the respective Microsoft 365 subscriptions. The licenses are personal in the Intune environment, but Intune also offers device licenses if, for example, a company uses kiosk devices that are not assigned to a specific user. For a pure Intune standalone license, the price is currently around € 5.10 per month per license.
The Endpoint Manager Admin Center offers companies a complete solution for managing Windows clients and mobile devices around the Android and iOS platforms. There are interesting functionalities, such as the integration and control of a Windows Defender or the work with other functionalities of the Microsoft Security Stack. This makes it possible to move within the Microsoft product family and you are not necessarily dependent on integrating other third-party solutions.
Intune also offers proven administration methods, such as setting up configuration policies or controlling Windows updates. Unfortunately, Microsoft misses out on the topic of app deployment to increase the user-friendliness on the part of IT administrators and sets some hurdles with cumbersome conversions and the manual setting of installation paths, which first want to be mastered. Also sometimes long synchronization times until an application or guideline is pulled from the terminal device are known from some MDM solutions. Unfortunately, Intune is not a better example, but continues the tradition of a system center or other solutions.
One thing is certain: Microsoft puts a lot of time and money into its endpoint management solution. As a result, Intune has gained enormously in functionality and stability in recent years. However, the system still has some weaknesses. Meanwhile, Intune has quickly become the first choice for companies without an MDM solution due to its proximity to the Microsoft 365 product family. For companies with already established management solutions, a look towards Intune and the Endpoint Manager can also be worthwhile if the provider changes, but depending on the application, it can be associated with some difficulties and headaches.
* Aaron Siller is an IT consultant and owner of the IT service provider siller.consulting. His technological focus is on Microsoft cloud technologies such as Microsoft 365, Intune and Azure. Under the label siller.together with partners, he supports end customers on their way to the Microsoft Cloud. Migration to services such as Microsoft 365 is carried out, IT security is created on the basis of Microsoft Intune or infrastructures are relocated to Microsoft Azure.