Back to Blog

A look at Microsoft Intune

Image of Nathan O'Bryan MCSM
Nathan O'Bryan MCSM
Microsoft Intune

Intune was born as Microsoft’s Cloud based Mobile Device Management platform. Since then, it has grown into a management platform for both mobile devices and P.C.s. Intune can now manage iPhone, Android, Windows Phone, and some versions of Windows. It’s clear that Microsoft intends to grow Intune into a complete cloud-based device management platform.

The process of planning for an Intune roll out can be difficult. The features and functionality within Intune are ever evolving, so knowing how to deploy Intune effectively takes some studying. In this blog post, we’ll provide an introduction into Intune's current capabilities. We will test out what Intune can do to make your data more secure in a “Cloud First, Mobile First” world. 

What is Intune?

The acronyms seem nearly endless, don’t they? Mobile Device Management (MDM), Enterprise Mobility Management (EMM), and Mobile Application Management (MAM) are three of the more popular acronyms you’ll see describing what Intune is. Each describes some of the functionality available within Intune, and I see them all used in this space. Whatever the acronym we use, there are three main areas of functionality that Intune currently provides.

  • Intune manages devices your organization’s workforce uses to access company data
  • Intune manages the mobile applications your organization’s workforce uses to access company data 
  • Intune verifies that devices and applications are compliant with your organization’s security policies 

Intune is design around the idea that an organization’s workforce needs access to company data around the clock from anywhere and on any device. The modern workforce uses a lot of devices, and most of them tend to be brought from home. Intune gives organizations a way to manage those devices and how they are used to access organizational data.

It’s important to note that Intune is intentionally integrated tightly with the rest of the Enterprise Mobility + Security (EM+S) suite. You’ll quickly find that Intune licenses alone will limit your organization’s management options. I use the EM+S E5 license in my tenant. While this nearly doubles the price of an Office 365 E3 license, the features and functionality provided are impressive. 

Device Management vs. Application Management? 

When planning for deploying Intune, I find it’s important to understand the difference between device management and app management. Keep the difference clear in your head will save you lots of time and effort when defining your Intune policies. 

Device Management Policies Cover: 

Enrolling devices 
  • Configuring devices 
  • Pushing certificates 
  • Reporting on devices and measuring device compliance 
  • Removing organizational data from devices

Application Management Policies Cover:

  • Assigning mobile applications to employees 
  • Configuring applications 
  • Controlling how organizational data is used 
  • Removing organizational data from applications 
  • Updating applications 
  • Reporting and tracking application usage 

If we go back to EM+S, there are additional security features that are added from other parts of that stack. When an application is managed though other EM+S features as well as Intune you gain additional features like: 

  • Isolation of personal data from organizational data within an application 
  • Single sign-on 
  • Application based conditional access 
  • Multi-factor authentication 
  • Rights management support 

What Devices Does Intune Manage? 

While planning your Intune deployment it’s important to understand what devices Intune can manage. Intune manages phones, tablets, and computers.  

Phones/Tablets: 
  • Android 4.4 and later devices 
  • iOS 9.0 and later devices 
  • Windows Phone 8.1, and Windows 8.1 RT, Windows 10 Mobile 

Computers: 
  • Windows 10 
  • MAC OS X 10.11 and later 
  • Windows 8.1 (sustaining mode) 

Intune With & Without Device Enrollment 

Most of the functionality within Intune is going to require installing the Company Portal application on the managed device, but there are still some benefits that can be gained without that requirement.  

Features Without Enrollment Provided by Intune Include:  

  • PIN requirements 
  • Preventing “save-as” 
  • Copy/Paste restrictions 
  • Jailbreak detection 
  • Remote wipe some protected data.  
These features can be very useful for situations where BYOD devices cannot be required to enroll. I’ve also seen customers use some of the features as an introduction to Intune while in the process of moving away from another MDM solution. 

Putting It All Together 

Moving to a cloud-based IT infrastructure can be challenging for many reasons. Customers often feel like they are losing control over their organization’s data to some extent during this process. Microsoft is very focused on making the data more available to in as many ways as they can. 

Adding Intune to your Microsoft cloud stack gives organization’s the ability to control end-user’s BYOD devices, and how they use those devices to access organizational data. Before you can plan your Intune deployment, you need to understand the capabilities of this product. Customers are rightfully confused by the wide range of features spread out across the EM+S stack, so it’s worthwhile to make sure you understand what you’re getting with the licenses you purchase.

Get started with Mailscape 365 


Authentication Key

Conditional Access for Office 365

Image of Matthew Levy
Matthew Levy

Azure Active Directory Conditional Access has been around since 2016. Conditional Access governs...

Read more
Configurations screenshot

EMS Security Overview

Lawrence Novak

The security perimeter has changed dramatically over the last 5 years. The landscape has gone from...

Read more