Intune Device Management
Microsoft Intune is a Cloud-based Service that focuses on Mobile Device Management (MDM) and Mobile Application Management (MAM)
Device Wish List
Do you wish to allow only certain phones and phone models to access Corporate Data?
Do you wish to do Remote Wipe of only Corporate Data from Mobile?
Do you want to ensure that only Company Policy Compliant devices, PCs and Mobiles can access Data?
Do you wish to allow only a few users to share Data outside Company?
Do you want to restrict actions like copy, cut, paste, and save as, to only Corporate Apps?
Do you want to enforce a PIN for Mobiles?
Do you want to ensure that data is saved only to One Drive and SharePoint on Mobiles?
Do you want to prevent Screen Shot of Corporate Data?
Do you want to ensure that User can access Data only on Browser when using his own PC?
Do you want to restrict downloading of Email Attachments from browser on User PC?
If the answer for one or more questions listed above is YES, you need Intune.
MDM and MAM
When you setup a device under mobile device management, you control the entire device, and can wipe data from it, and also reset it to factory settings. So, this is usually done for Corporate owned devices.
Mobile application management lets you control your business data in your users’ personal devices, such as iPhones and Androids, and their personal Win 10 computers. You can use application management policies to prevent your users from copying business data from Office apps to their personal apps. The data of personal apps is left untouched. So, MAM is the preferred choice for BYOD or user owned devices.
Intune in EMS
Intune is available as a part of Enterprise Mobility and Security Suite. It integrates with Azure Active Directory to control who has access, and what they can access. Intune is also part of Microsoft 365 Business Premium.
Intune and Azure Active Directory work together to make sure only managed apps can access corporate e-mail or other Microsoft 365 services.
Intune integrates with Azure Information Protection for data protection.
Manage Corporate Devices
The Corporate Devices are enrolled in Intune.
When devices are enrolled and managed in Intune, administrators can:
See the devices enrolled and get an inventory of devices accessing organization resources.
Configure devices so they meet your security and health standards. For example, you can block jailbroken devices.
Push certificates to devices so users can easily access your Wi-Fi network, or use a VPN to connect to your network.
See reports on users and devices that are compliant, and not compliant.
Remove organization data if a device is lost, stolen, or not used anymore.
Manage apps in User owned devices
Mobile application management (MAM) in Intune is designed to protect organization data at the application level, including custom apps and store apps. App management can be used on organization-owned devices, and personal devices.
For User owned or BYOD, use app protection policies that require multi-factor authentication (MFA) to use the apps like Outlook, Teams, etc.
With MAM, administrators can
Add and assign mobile apps to user groups and devices
Configure apps to start or run with specific settings enabled and update existing apps already on the device.
See reports on which aps are used and track their usage.
Do a selective wipe by removing only organization data from apps.
App Protection policies
This is useful in variety of ways:
Use Azure AD to isolate organization data from personal data. So, data accessed using organization credentials are given additional security protection.
Control and prevent user actions like copy-and-paste, save, view corporate data into personal apps.
Lock down Exchange Online so that it can be used only by Outlook or Outlook Mobile.
Conditional Access and Intune
Intune and Azure Active Directory work together to make sure only managed and compliant devices can access email, Microsoft 365 services, Software as a service (SaaS) apps, and on-premises apps. Additionally, you can set a policy in Azure Active Directory to only enable domain-joined computers or mobile devices that are enrolled in Intune to access Microsoft 365 services.
For Windows PC, one can enable Azure AD Join and then access can be given only to Azure AD joined PCs.
For BYOD PCs, one can use Workplace join and enroll devices into Intune MDM to receive device-level policies.
Intune for Apple Macintosh
Intune works with macOS devices. Extensive device restrictions are possible. To know more please visit macOS device settings in Microsoft Intune | Microsoft Docs
You can also manage Mac devices using the device settings available in Intune. For more details, visit macOS device compliance settings in Microsoft Intune | Microsoft Docs
Use case scenarios for Intune
Protect Microsoft 365 email and data when accessed by Mobile devices. Using Conditional access , Companies can ensure that no users, apps, or devices can access Microsoft 365 data unless they meet your company’s compliance requirements (performed multi-factor authentication, enrolled with Intune, using managed app, supported OS version, device pin, low user risk profile, etc.).
Safely deploy BYOD in your Organization. In BYOD, the main challenge has always been to convince employees to enroll their personal device into management, as they are fearful of what their IT department will be able to see and do with their device. As an option, Intune offers an alternative BYOD approach of simply managing the apps that contain corporate data. Intune protects the corporate data even if the app in question accesses both corporate and personal data, as is the case for Office mobile apps.
Manage Corporate owned Mobiles. Intune helps in provisioning of corporate devices in an automated fashion. As soon as employee powers on the device , they are walked through a corporate branded setup flow where they must authenticate themselves. The device is then seamlessly setup with all security policies. Then the employee launches the Intune Company portal app to access the corporate apps available to them.
Deploy Fixed use or limited use shared tablets. Many businesses provide Tablets to Employees in a limited use mode such as single line of business app. This improves the user experience and is many times seen in Retail outlets. With Intune you can bulk provision , secure and centrally manage these devices to run in this limited mode use mode.
Allow employees to securely access Microsoft 365 from Public WiFi and Kiosks. In this case one can limit the usage only to devices managed by the Organization. This ensures that users do not leave corporate data on untrusted computer.