Inviso

Modern Endpoint Management with Microsoft Intune

By December 8, 2022 January 10th, 2023 No Comments
Technology and HUD concept

Microsoft Intune is back! Several years ago, Microsoft rebranded Intune as Microsoft Endpoint Manager. However, at the 2022 Microsoft Ignite event, Microsoft announced they were bringing back the Intune name front and center. One big sign of this shift: even the admin page itself can now be accessed via https://intune.microsoft.com.

So, just what is Intune?

Microsoft Intune is a device management platform that provides services from the beginning to the end of the device lifecycle, fully managed from the cloud. Gartner includes Intune in the Unified Endpoint Management tool category, and has recognized Microsoft as a leader in this space. Intune covers everything from the early stages of the device lifecycle with provisioning and enrolling the device via Windows Autopilot, to ensuring proper security controls with device configuration profiles and endpoint security policies, to Windows device update management controlled by update rings. And, when a device is ready to be decommissioned, Intune can fully wipe and retire the device, completing the device lifecycle journey.

Intune is useful in many environments because it manages a wide spectrum of devices:

  • Windows
  • Android
  • iOS/iPad OS and macOS
  • Linux
Note: Autopilot is only a Windows service.

So now that the device has been provisioned and the end user is using it, how does Intune control the configuration settings on this device? With Windows devices, instead of depending on Active Directory with Group Policies to manage these settings, we leverage the configuration profiles feature within Intune.

Configuration profiles are nice because they leave behind some of the bad parts of managing Group Policies while maintaining the good. Intune provides a simpler troubleshooting portal while using configuration profiles which can be found in the device configuration tab. For anyone who has fallen down the rabbit hole of reviewing Group Policy results and troubleshooting why something is being applied, configuration profiles are a breath of fresh air.

Intune also oversees the delivery of applications to the managed devices. It’s fully equipped to manage applications throughout the app lifecycle, starting from the beginning of the app lifecycle with the creation of the application, to delivering this application to the proper assignment (user or device). You can also rely on Intune to make sure the application stays up to date.

Intune has the capability to protect applications by enforcing what are called app protection policies. These policies assist you as the administrator with protecting company data that is located within these applications. For example, this means not allowing a document to be downloaded locally and extracted by a bad actor in your environment, or enforcing device compliance requirements, such as requiring active/up-to-date antivirus software and a supported operating system version in order to disallow old and out-of-date devices from accessing company data.

Below is a general list of the types of applications you can deploy. The list is ever-growing and can be found here.

Windows Devices
  • Win32 app
  • Microsoft Store app
  • A few direct applications like Microsoft 365 Apps & Microsoft Edge
  • Line of business applications (Traditional .msi, .appx, .appxbundle, .msix, and .msixbundle)
Apple Devices
  • iOS Store app
  • Line-of-business app for iOS and MacOS (.pkg,IPA)
Android Devices
  • Android Store app
  • Managed Google Play app
  • Line-of-business app

Security is paramount for Microsoft, and you can clearly see this while using Intune. We have talked about how you can protect the data around applications, but how does Intune protect your devices? Endpoint security is a feature provided by Intune that provides a central place for all security-related configurations on your devices.

Within Endpoint security, you can manage your device encryption policies for Windows BitLocker policies or with MacOS FileVault. You can also manage local device firewall policies with Windows Defender Firewall or the macOS firewall. There are even built-in baselines you can leverage within your organization if you want an easy button for a stronger security posture.

Note: In almost every scenario, the default settings are the most restrictive for your endpoints, so you should work with your security partner to determine the best security baseline for your environment.

For all the security folks out there, the Endpoint security blade also has direct integrations with Microsoft Defender for Endpoint, allowing you to manage all your EDR, ASR, and account protection policies under one roof.

Intune also includes compliance policies which allow you to enforce a specific level of compliance before devices can reach company resources, such as anti-virus requirements, certain versions of the operating system, and disk encryption. You can even customize these policies to match your type of anti-virus product and other custom settings you would like to target.

Considerations when choosing Intune

There are a few things I recommend you keep in mind when making a decision about using Intune. Overall, Intune provides an ideal end-to-end device provisioning service without all the overhead of managing images and supporting infrastructure with Windows Autopilot.

A key benefit is that Microsoft Intune is a SaaS product, which means organizations no longer carry the burden of maintaining necessary infrastructure components. With Microsoft managing the infrastructure for Intune, your organization can manage devices anywhere on the planet with an internet connection. However, since this is a globally distributed service used by millions of organizations, delivery of applications or configuration settings may take a little longer to fully distribute compared to your traditional on-premises system.

Another positive for many organizations is the licensing model – Intune is built into many common Microsoft 365 plans such as E3 or Business Premium. Organizations can use this as a cost savings measure by migrating existing device management solutions to Intune. And finally, if you want to maintain your existing device management platform like ConfigMgr, it’s not a problem since Intune integrates with many different systems to help unlock further value using both products.

In summary, I hope that you see that Intune is an all-encompassing cloud-based identity & device management platform. In our experience, it’s an excellent choice for organizations that want to secure and configure their devices and applications more easily. If you have any questions about how Intune could be implemented within your organization, we’re here to help. You can get in touch with us at info@invisocorp.com.

Inviso Team

Author Inviso Team

More posts by Inviso Team