Get Your Act Together with Microsoft Intune: Because Herding Digital Cats is Harder Than Real Ones
In today’s mobile, cloud-first, work-anywhere world, organizations of all sizes are facing the challenge of managing and securing devices, applications, and data. As more employees use their personal devices for work, and as organizations adopt innovative technologies and platforms, it has become increasingly difficult to ensure security and compliance while still providing employees with the flexibility and productivity they need. Enter Microsoft Intune.
Over the next few paragraphs, we are going to cover all the best features offered by this solution and offer some of our thoughts on why you should start using it right away.
What is Microsoft Intune?
If you have not heard of it already, Microsoft Intune is a cloud-based Mobile Device Management (MDM) and Mobile Application Management (MAM) solution offered by Microsoft. It enables organizations to manage and secure endpoints, mobile devices, applications, and data across a range of platforms, including iOS, Android, Windows, Linux, Chrome OS, and macOS.
Here are a few reasons why you need to implement it in your organization:
- Simplified Modern Device/Application Management: Microsoft Intune provides a centralized, cloud-based solution for managing and securing mobile devices, applications, and data. This can save time and effort for IT staff, while also providing greater control and visibility over mobile assets. Your Windows devices no longer need to VPN in to get policy and device configuration changes/updates.
- Enhanced Security: Intune offers robust security features to help protect your mobile devices and data. With Intune, you can enforce policies to require device encryption, leverage certificate services, set up access controls, configure device compliance rules, and monitor devices for suspicious activity. Intune also integrates with the entire Microsoft 365 stack to provide a holistic approach to security, with features that support a Zero Trust security model.
- Improved Productivity: Intune enables end-user access to corporate resources on the go, using their mobile devices to stay connected and productive. You can curate and distribute organization-owned line-of-business apps through a centralized Company Portal. This can help employees work and collaborate more effectively, while still ensuring security and compliance.
- Compliance: Compliance with regulatory requirements is essential for many organizations. Intune offers compliance reporting and monitoring, helping you to meet regulatory requirements and demonstrate compliance with auditors and regulators.
Best of all, Intune is included with subscriptions to Microsoft 365 E3, E5, F1, F3, Enterprise Mobility + Security E3 and E5, and Business Premium plans (See Microsoft Intune Plans and Pricing). If you have any of those subscriptions, you already have Intune available to you.
MDM vs MAM
We get this question often when we work with organizations to develop and implement a device management strategy with Microsoft Intune. Do you deploy MDM, MAM, or both?
The broad answer is that if the device is organization-owned, it should be managed with MDM. If it’s a personal device (BYOD), then MAM is a much better choice. However, let’s look more in-depth at the two methods of management:
Mobile Device Management (MDM):
- Provides control over the entire device, including settings and applications.
- Allows administrators to enforce policies at the device level, such as password requirements and encryption.
- Can remotely wipe the entire device if it is lost or stolen.
- Requires the installation of an agent/broker app on the device, which may cause privacy concerns for some users.
- Can be more complex and expensive to implement than MAM.
- Knows about the applications installed on the device but does not know what data they hold.
Mobile Application Management (MAM):
- Focuses on managing and securing specific applications and data rather than the entire device.
- Allows administrators to set policies for individual applications, such as disabling certain features or requiring multi-factor authentication.
- Can remotely wipe only the specific application and its associated data if necessary.
- Requires a very minimal footprint on the device, which may be more attractive to users concerned about privacy.
- Can be less complex and less expensive to implement than MDM.
- Data-aware and enables segmenting of organizational vs personal data.
In some cases, it makes sense to deploy both MDM and MAM. For example, your Sales or HR teams may need access to social media applications as part of their job, on their organization-issued devices. However, you are also likely aware of the risks posed by some of these applications and their ability to collect information from the user’s device. You may still leverage MDM to manage the device. In addition, you may implement App Protection Policies (APP) to create a secure walled garden around organization data preventing data collection and unauthorized access.
What does Microsoft Intune do?
Microsoft Intune offers a comprehensive set of capabilities that focus on endpoint/device security. Intune integrates with the entire Microsoft 365 security stack, specifically with Microsoft Defender for Endpoint (MDE). While Intune and MDE are two separate products, they complement each other through the following key features:
- Deploy Defender for Endpoint: You can use Intune to deploy Defender for Endpoint to managed devices, which will help protect them from a wide range of threats.
- Configure Defender for Endpoint policies: Intune can be used to configure Defender for Endpoint policies, such as endpoint protection, firewall, and device control policies. This helps ensure that devices are protected according to your organization’s security policies.
- Monitor device compliance: Intune can monitor device compliance with Defender for Endpoint policies, and can take actions such as blocking access to corporate data if a device is non-compliant.
- Manage security incidents: Intune and Defender for Endpoint can work together to detect and respond to security incidents. For example, if Defender for Endpoint detects a threat on a device, Intune can be used to act, such as blocking access to corporate data or quarantining the device.
In addition, Intune offers several turnkey security baselines and frameworks for Windows platforms iOS, Android, and mobile application management. This is especially useful for customers who seek to fast-track the deployment of security best practices.
Deploying Intune for success
While this article is not meant as a step-by-step guide, we would like to share a bit of our planning process to help you be successful in your Intune journey:
- Define your device use cases: Understanding how organization-issued or personal devices are used and how end-users access organization data is paramount. This could be as simple as having some conversations with end-users and/or organization stakeholders. The key here is to establish the current baseline, and how the deployment will affect it moving forward.
- Define your solution objectives: Most will immediately respond to this by saying “I just want to secure my devices and organizational data” or “I need to meet X compliance”. Those are great objectives, but I would challenge you to think beyond this by thinking about what you learned in your discovery, end-user/device use cases, known risks, threat landscape, etc. in addition to your immediate needs. This will help with the next step in your planning process.
- Define the security baseline: Determining the security baseline that aligns with your organization’s data security and compliance policies may be tricky. Many organizations will opt for the CIS or NIST benchmarks or stick with the Microsoft-provided security baseline and/or framework. Those are good places to start. Organizations subject to regulation and compliance laws will need more careful consideration in this step.
Regardless of where you are in your Intune journey, we recommend going through these steps to ensure you covered your bases and perhaps spur some new thinking. Additionally, it’s a value-add to run through these steps over time to ensure your organization is getting the most out of the solution.
Can I replace Active Directory Group Policies with Intune?
In many cases, Intune can take the place of traditional Active Directory Group Policies, but it is not a one-to-one replacement. Group Policy is a Windows feature that is used to centrally manage and apply settings and configurations to computers that are joined to an Active Directory domain. Intune has many of the same settings as your on-premises GPOs and it offers the following capabilities to help you migrate:
- Use Group Policy Analytics: Group Policy analytics is a tool in Microsoft Intune that analyzes your on-premises GPOs, shows the settings that are supported by Microsoft Intune, shows any deprecated settings, or settings not available, and can migrate your imported GPOs to a settings catalog policy that can be deployed to your devices.
- Use the Settings Catalog: Settings catalog lists all the settings you can configure, and all in one place. This feature simplifies how you create a policy, and how you see all the available settings. More settings are continually being added. If you prefer to configure settings at a granular level, like on-premises GPO, then the settings catalog is a natural transition.
- Import custom ADMX and ADML templates: You can import custom and third-party ADMX and ADML templates into the Intune admin center. Once imported, you can create a device configuration policy using these settings, and then assign the policy to your managed Windows 10/11 devices.
I am already using X for MDM, why should I switch to Intune?
This is another common question that we get from organizations that have already invested time and effort into an existing device management solution in their environment. There are several reasons to consider the switch:
- Integration with Microsoft 365: If your organization already uses Microsoft 365, Intune seamlessly integrates with these services, making it easy to manage and secure your devices and data across multiple platforms.
- Advanced security features: Intune includes a range of advanced security features, such as conditional access policies, device encryption, and app protection policies. These features can help you to protect your devices and data from a wide range of threats.
- Automatic updates: With Intune, you can easily update your devices to the latest software versions, ensuring that you have the latest security patches and features.
- Easy to use: Intune is designed to be easy to use, with an intuitive interface that allows you to manage your devices and policies with ease.
- Cost Savings: As mentioned previously, Intune is included with most of the popular subscriptions on Microsoft 365. In some scenarios, organizations may realize up to 60% in per-user savings by switching to Intune. Discover Microsoft Intune plans and pricing
How we can help you get there
PSM has a successful record of deploying Microsoft Intune in small, mid-size, and enterprise organizations. As a trusted Microsoft Solutions Partner for Modern Work, PSM is committed to helping your organization plan and execute your Intune deployment strategy.
As a Microsoft Solutions Partner, PSM Partners provides managed IT services for businesses and institutions in the Chicago, IL area. To learn more, call PSM at (312) 940-7830 or submit a contact form today.