Introduction to Microsoft Intune
Microsoft Intune complements System Center Configuration Manager (SCCM) by offering device and application management for Internet-facing mobile computers that are not domain joined to the corporate network. Microsoft Intune provides Cloud-based Mobile Device Management (MDM), conditional access, fine-grained policy configuration, and Mobile Application Management (MAM) capabilities. Intune also integrates with SCCM to provide single-console management that extends your SCCM infrastructure across devices on-premises and in the Cloud. Microsoft Intune was initially available on a per-user (not per-device) subscription basis either as a stand-alone service or as a component of Microsoft's Enterprise Mobility Suite (EMS), which also includes Microsoft Azure Active Directory Premium and Microsoft Azure Rights Management. Intune was later added to Microsoft's Azure-based Endpoint Manager service along with Configuration Manager. (Learn about Progent's Microsoft Azure planning and cloud integration consulting services.)
SCCM pushes an agent utility to client devices, which rely on traditional techniques such as VPN tunneling, reverse proxy servers, or ADFS servers placed behind the corporate firewall to position remote devices functionally within the protected perimeter. Microsoft Intune can support mobile devices that will not accept an agent, such as Apple iPhones and iPads, and that are not domain joined but simply connect through the Cloud. Because Microsoft Intune takes advantage of the Cloud-based infrastructure of Microsoft Azure Active Directory, IT managers can provide the convenience of single-sign-on for users with multiple devices and protect corporate resources by requiring enrolled devices to comply with a consistent set of policies. Authorized users can register, enroll, and manage their devices and install corporate applications from a web-accessible self-service Company Portal. Microsoft Intune supports current versions of Windows, Windows Phone, iOS, and Android, but does not support BlackBerries.
Microsoft Intune is evolving continually and therefore its appropriateness for different environments and usage scenarios can improve over time. Progent's Microsoft-certified consultants can help your organization understand the business case for adopting Microsoft Intune for managing some or all of your mobile devices and can help you set up pilot tests to evaluate the benefits of Intune for your environment. Progent can provide full project management services or as-needed consulting to help you migrate to Intune from your current MDM solution or integrate Intune with System Center Configuration Manager for a unified, enterprise-class device management solution. Progent can also help you utilize Intune to enhance the built-in management capabilities of Office 365 applications, integrate Intune with Exchange ActiveSync, and review your policies to ensure they are consistent with industry best practices and regulatory compliance.
Capabilities of Microsoft Intune
Microsoft Intune builds on the basic MDM capabilities incorporated into Office 365 and enhances these with extended MDM features plus Mobile Application Management and PC Management to offer a comprehensive solution for managing enterprise mobility. Major capabilities of Microsoft Intune include:
Mobile Device Management (MDM)
The challenge for a modern MDM system is to protect corporate resources and meet compliance requirements while creating an easy-to-manage environment that maximizes the productivity of users who may each work with multiple mobile computing devices (laptops, smart phones, tablets) which in turn may be powered by a variety of operating systems (Windows, iOS, Android,
Linux). Microsoft Intune offers a solution to this problem by providing a full-featured set of MDM capabilities.
Mobile Application Management (MAM)
- Self-service Company Portal
You can set up a custom Intune Company Portal to provide a self-service solution for users to enroll their own mobile devices, find company apps to install, and see other devices they have added. Required apps can be pushed from the Company Portal directly to enrolled devices. By enrolling in the Company Portal, users also give administrators permission to manage their device.
- Simple Deployment of Connectivity Profiles and Certificates
Intune's resource access profiles allow you to pre-configure mobile devices with the connectivity settings they need for email and for Wi-Fi or VPN access to company files. This eliminates the need for end users to configure VPN and Wi-Fi settings on their own for every device they enroll with Intune. You can also automatically deploy certificates to enrolled devices to help secure these connections.
- Comprehensive Policy Management
Intune offers a rich set of configuration policies for managing mobile devices, providing significantly more granularity and control than is available through the MDM features included with Office 365. Examples of these configuration policies include enabling/disabling cameras or Bluetooth, defining password length and strength, requiring data encryption, and a kiosk mode that allows you to limit a device to running a certain application or disabling a device's power and volume buttons. When you need policies that are not included, Intune allows you to configure OMA-URI settings to create custom policies or, for iOS devices, you can import settings you exported from the Apple Configurator Tool.
- Conditional Access
Intune's conditional access feature allows you to define security criteria for restricting access to corporate resources such as Exchange email, Outlook email, OneDrive, or SharePoint Online. For example, you can deny access to a resource if a mobile device is unenrolled, out of compliance, or has been jailbroken or rooted (i.e., has unauthorized modifications in its operating system).
- Bulk Enrollment for Apple iPhones and iPads
Once you acquire an Apple Push Notification service (APNs) certificate for an iOS device, Intune allows you to enroll corporate-owned iPads and iPhones in bulk by using Apple Configurator. You can also simplify the enrollment of iOS devices bought directly from Apple by using the Device Enrollment Program (DEP), which supports hands-free setup and also allows Intune to perform Enrollment Profile uploads to Apple and to assign devices to those profiles.
- Lockdown Policy Enforcement
Intune can enforce strict lock-down policies for Supervised iOS devices, Android devices in Kiosk Mode, and Windows Phone devices using Assigned Access.
Mobile Application Management (MAM) involves imposing policies on certain functions of specific applications so that corporate compliance and security policies are not unintentionally or intentionally compromised by mobile users. Examples of modified functionality within a managed application are restrictions on cut and paste, saving files, or requiring that an app open hyperlinks only within a managed web browser. Microsoft Intune supports a growing array of MAM features for Windows, IOS, and Android-based mobile devices.
- Office 365 In-built Mobile Application Management
You can modify the functionality of Office 365 apps (for example, preventing Save As or requiring encryption) for Windows, iOS, and Android devices to protect against leaks of company data and to assure adherence to your organization's compliance and security policies.
- Intune App Wrapping Tool
You can apply your policies to your existing line-of-business applications that do not have built-in support for Intune application management by using the Intune App Wrapping Tool. This avoids having to recode your LOB applications.
- Secure Content Viewing
Users can view managed application content in compliance with your Intune policies by using Intune's managed web browser, PDF Viewer, AV Player, or Image Viewer.
- Selective Wipe
Administrators and device users can safeguard corporate data without erasing personal information via selective wipe of managed applications and associated data in cases where a device is retired, non-compliant, or missing. Intune also offers full wipe, remote lock, and passcode reset capabilities.
- Streamlined App Deployment
Administrators can automatically push selected apps to a managed device during enrollment, and authorized users can install corporate apps from Intune's self-service Company Portal. Administrators can also assign apps to be automatically uninstalled.
- Access Control
You can prevent specified apps or web sites from being accessed on managed mobile devices. Intune's managed web browser lets you create allow/block lists to control which web sites users can access.
Microsoft Intune supports unified Mobile Device Management (MDM), Mobile Application Management (MAM), and PC Management
For computers that are not enrolled with Intune as mobile devices, Intune provides client software that runs on the PC. (Windows 8.1 and Windows 10 PCs can be managed using the Intune client or they can be enrolled as mobile devices.) Once the Intune agent is installed, the client PC supports a variety of centralized management functions such as application management, Endpoint Protection, hardware and software inventory, software updates, and reporting about compliance settings. Intune PC management capabilities include:
How Progent Can Help You with Microsoft Intune
- System Center 2016 Configuration Manager and SCCM 2012 Integration
You can integrate your current System Center Configuration Manager infrastructure with Intune to create a hybrid on-premises and Cloud-based management solution for PCs, Macs, and Unix/Linux servers along with most mobile devices, all controlled from a single console. (For information about SCCM 2016, refer to Progent's consulting services for System Center 2016 Configuration Manager.)
- Endpoint Protection
Intune Endpoint Protection scans files and applications on client PCs for malware threats, checks for suspicious activity patterns, and uses signatures of known vulnerabilities from the Microsoft Malware Protection Center to help detect and block malicious network traffic. Intune Endpoint Protection works in realtime and updates automatically.
- Hardware and Software Inventory
You can gather information about hardware configurations and software installed on managed devices in order to create reports, organize computer groups, and plan efficient software deployments.
- Policy-based Software Deployment and Firewall Configuration
You can deploy polices to your managed computers that control when and how software updates are installed, and you can review and edit updates prior to deployment. You can also use policies defined by the administrator to configure the Windows Firewall settings on client computers.
- Remote PC Restart
You can remotely restart a managed computer or group of computers from the Microsoft Intune administration console.
- Retire a Computer
You can retire a computer or a selection of computers by using the administration console. A retired PC is removed from the Intune inventory and the associated license is freed for re-use. Intune's client agent and Endpoint Protection software is removed from the retired device, any policies are removed, and the values that were set by the policy are changed.
Progent can help your organization determine whether it makes the most sense to set up Intune to manage your mobile devices as a standalone solution, as an extension of System Center Configuration Manager, as part of a Microsoft Office 365 subscription, or as part of the Microsoft Enterprise Mobility Suite. Progent can also help you design, test, deploy and troubleshoot your Intune management solution. Progent's mobile computing experts can help you integrate Windows, iOS, and Android devices with Intune by providing services that include iPhone and iPad integration and Android phone and tablet consulting. Progent's certified network security consultants can help you make sure your mobile device security policies follow industry best practices and align with your internal policies and with regulatory requirements. Progent's Cisco-certified CCIE network infrastructure consultants can help you optimize your network topology to accommodate your mobile and local workers and support on-premises, multi-site, Cloud-based, or hybrid infrastructures.
Progent can help you migrate efficiently to Microsoft Intune from older MDM platforms and can provide Windows 10 planning and support services to bring your Windows PCs up to date. Progent's Microsoft-certified Windows Server 2019 migration consultants, Windows Server 2016 consultants and Windows Server 2012 R2 experts can help you build a cost-effective server infrastructure that supports modern configuration management solutions. Progent offers comprehensive project management outsourcing or task-based consulting services, and Progent's disaster recovery planning consultants and business continuity experts can help you develop a device management solution that offers enterprise-class availability and recoverability.
Progent's experience providing advanced online consulting can save you time and money in deploying Microsoft Intune. Progent has provided online IT solutions to organizations of all sizes in every state in the U.S. (For a selection of customer testimonials, see Progent's customer testimonials.) Progent also offers onsite consulting in major metropolitan areas throughout the U.S.
For more information about Progent's planning, consulting and troubleshooting support for Microsoft Intune, phone 1-800-993-9400 or visit Contact Progent.
Progent's Consulting Services for Microsoft-based Technology
If you need immediate online support from a certified network expert, see Progent's Remote Consulting and Technical Support.
Progent's Microsoft-certified consultants offer the breadth of expertise to your go-to solution provider for advanced consulting, integration and troubleshooting support for Microsoft products and services. Progent can assist you to plan, test, implement, administer, and remediate IT environments that incorporate Microsoft business products by providing services that include:
Find out more details about Progent's Consulting and Support Services for Microsoft .NET Server Technology.