Microsoft Intune: managing and securing your devices in the cloud

Are you keeping your company data safe? Are you managing all your staff devices and applications? How do you deploy devices to new starters? 

Managing your devices, protecting your business data and keeping your business secure online has never been more important than with the move to remote working. In the light of the Covid-19 pandemic, many businesses are re-evaluating the way they work between the workplace and home. That’s why more robust ways of managing your team’s devices are needed to keep company data and systems safe.

Microsoft Intune is a cloud-based device and application management solution that lets you do all this. If you’re already using Office 365 or Microsoft 365, it’s simply an add-on license, if it isn’t already included in the licenses that you have. This article is designed to help IT decision makers understand Intune and what it can do for you. 

Want to know more about how to secure and manage your devices and applications using Intune? Please contact us for a free discussion with one of our certified M365 technical consultants. We’re a trusted Microsoft Gold partner and we’ll be happy to help.

Let's Talk

Why manage your devices?

Whether it’s desktops, phones or tablets, your staff may well use company-owned and personal devices to access your business data, applications and networks for their work.

It’s easy for those devices to be compromised, for example, they may have an out-of-date version of the operating system with vulnerabilities or they might not have anti-virus software installed. They may have turned off the firewall, have a weak password, a virus or spyware on their device. All of these present a potential risk to your business, so it’s vital that any devices connecting to your company data and systems are protected and locked down to your requirements.

Why manage your business applications?

You’ll need to deploy your business applications on any device that a member of staff uses for work. For example, if you start using a new human resources system, they may need the client application installed on their PC. You’ll also need to manage the lifecycle of your applications – deploying, updating and eventually retiring them.

You’ll also need to control any applications that are accessing company data. Here you might want to allow users to do this, without being able to copy content from their work account in Outlook and paste it anywhere else for example. You may also want to be able to remove a work-related email account and its data from a member of staff’s personal phone without affecting their personal email account and data – it’s their own phone after all!

Traditional approaches to device and application management

Smaller organisations have often done these things manually on each device, however this simply isn’t feasible when an organisation grows, especially as more users work remotely.

In order to manage Windows PCs, office-based organisations typically have a domain controller and their PCs are domain-joined and controlled by Group Policy, and there may be a separate solution for deploying software centrally. You can find out more about this in our blog post: What’s the difference between AD vs Azure AD? | Compete366. 

This might deal with Windows PCs, but for Mac, iPhone and Android phone, a different set of solutions is usually used to manage each of these. Consequently, depending on the range of devices and applications you need to manage, you can end up with a complex set of solutions. What’s more, most organisations now need to enable their staff to work from multiple locations whether that’s from home, the office or for travel, which makes device management more challenging.

What is Microsoft Intune and what can you do with it?

In a nutshell, Microsoft Intune allows you to manage all your devices and the data stored on them in one, secure place in the cloud.

As a mobile device management (MDM) and mobile application management (MAM) solution, it means that you can control how your organisation’s devices are used, whether they are Windows PC, Mac, iOS or Android. In MDM, you manage the device and its settings. In MAM, you manage applications that are used to access company data such as the Outlook app.

For company owned devices, you normally use MDM and MAM. For personally owned devices, you tend to use MAM as it’s unlikely that users would be happy to have their personal phone fully controlled by their company. Knowing which Bring Your Own Devices (BYOD) are being used to access company data is important.

With Intune, you can set rules and configure settings on personal and organization-owned devices to access data and networks.

• Deploy and authenticate apps on all on-premise and mobile devices.
• Protect your company information by controlling the way users access and share information.
• Be sure devices and apps are compliant with your security requirements.

Read our Intune case study to find out how Smythson of Bond Street, a luxury British brand of home accessories and stationery, made the move to Intune. Due to the pandemic, overnight the team found themselves needing to work remotely and the head office subsequently had a new requirement for hot desking. Intune enabled the business to react quickly to keep business operations running smoothly. With Intune, a new flexible way of working provided a better experience for employees, who could work from wherever they were. Find out more.

How do you license Microsoft Intune?

Intune can be licensed per user in several ways depending on different customer needs and the size of your organisation:

• Intune Standalone License
• Some M365 plans such as M365 Business Premium (but not O365 plans) include Intune
• Enterprise Mobility + Security (EMS) Plans include Intune

How do you deploy Microsoft Intune?

Intune has a broad range of capabilities. Here we cover the key concepts at a high level.

Any account with O365 global admin rights will be able to administer Intune. This is done in the Endpoint Manager admin portal – enpoint.microsoft.com. You can of course create accounts or assign rights to existing accounts giving Intune admin rights.

Intune is used to deploy applications to users’ devices and configure settings on them. The first step is to add applications and device configuration profiles to Intune. Do this for each device type that you want to manage. For example, if you  want to manage Windows PCs, iPhone and Android Phones, then add the applications and configure Device Configuration Profiles for each of these.

The next step is to target these applications and Device Configuration Profiles at your chosen users and devices. This raises the question of what you should target at device groups and what you should target at user groups? The short answer is “it depends”, however, most small and medium businesses should target everything at users except Autopilot which must be targeted at devices. The following is an excellent blog detailing which options to choose: Devices or Users: When to target which policy type in Microsoft Endpoint Manager (Intune) – ITProMentor. 

Users and devices are targeted by putting them in an Azure AD Security Group and selecting that group for a given application or setting. The groups can be created as Security Groups in Azure AD. They can be static, in which case you manually assign users or devices to them. Alternatively they can be dynamic, in which case group membership is based on a query that you configure and users or devices are automatically added as they meet the query criteria.

You can make applications a required install, which means that Intune will install them on the devices of the targeted users. Or you can make applications available for install, which means that these applications will be available for users to install from the Intune Company portal if they wish (so it is used for optional applications).

Having set up configuration profiles to configure your device settings as required, you can then set up a compliance policy to check that these settings are in place. You can then decide what action to take if the device does not comply.

You can set up conditional access policies to control the devices and apps that connect to your email and company resources. For example, you could allow access according to:

• User or group membership
• IP location information
• Device details including compliance or configuration status
• Application details including mandatory use of managed apps to access corporate data

Once you’ve configured device settings and applications in Intune and targeted them at the relevant groups, the next step is to enrol the devices into Intune. There are various ways of doing this according to the type of device such as Windows PC or iPhone.

Taking the example of setting up a brand new Windows 10 PC, the user would turn it on and enter their Azure AD credentials (O365 email address and password). This Azure AD joins the PC which then auto-enrols it in Intune. At this point, Intune will apply the device configuration profiles such as the firewall settings and install the applications including the Office Suite, Chrome Browser, Line of Business Applications etc – then the user is good to go.

Day-to-day management

Having set everything up, you can do your device and application management and monitoring from the Endpoint Manager admin portal – endpoint.microsoft.com. Below we outline some of the most common tasks.

New starters

For anyone joining your organisation you’ll need to:

• create their account in O365 
• license them
• add them to the relevant Azure AD groups 

They can then enrol their devices in Intune and their device settings will be applied and applications deployed.

You may also wish to use the Windows Autopilot service. This works in conjunction with Intune, allowing you to have a Windows 10 PC shipped directly from your supplier to the user without you having to touch it. 

The device is registered with the Autopilot service so that it syncs with Intune, allowing you to configure an Autopilot deployment profile. This lets you customise the Windows Out of the Box Experience (OOBE) so that you can pre-configure the choices that a user is faced with when setting up for the first time. For example, when a user turns on their PC after connecting to the Internet, it will display a customised company home screen and have the user ID box populated with their O365 email address. All they’ll need to do is enter their password. 

Leavers

When a user leaves your company, typically you may want to re-assign their company owned devices, such as their PC, to another user. With Intune, you can wipe all the data remotely and restore the device back to its default factory settings. You can then assign the device to a new starter who can set up as above.

Where leavers have been using their own devices such as an iPhone to access company data, with Intune you can use the Retire action to remove managed app data, settings and email profiles while leaving their personal data intact.

Before you remove a user from Azure Active Directory (Azure AD), it’s important that you use the Wipe or Retire actions for all devices that are associated with that user. If you remove users that have managed devices from Azure AD, Intune can no longer wipe or retire those devices.

Windows 10 updates

You configure profiles for Windows 10 update rings and target them at user or device groups. You may have all users in one group, alternatively you might have a general user group and IT group, using the latter for a more advanced version of Windows 10. Devices then have updates applied according to the profiles that you’ve configured.

Intune supports the following Windows 10 servicing channels:

• Semi-Annual Channel
• Semi-Annual Channel (targeted) for 1809 and below
• Windows Insider – Fast
• Windows Insider – Slow
• Windows Insider – Release Preview

Read more about Windows 10 updates in Microsoft’s article: Windows update settings for Intune

Remote access to devices

If you need to access a user’s device remotely to help with troubleshooting, for example, there are many solutions available. However, there is direct integration with TeamViewer, which allows you to connect to a user’s device directly from the Endpoint Manager portal. Find out more about administering devices remotely in Microsoft’s article: Use TeamViewer to remotely administer Intune devices.

Applications

Intune can be used to deploy new applications, update existing ones and un-install those that you no longer want to use. Learn more about managing the app lifecycle in the Microsoft article: Overview of the app lifecycle in Microsoft Intune

Summary

To summarise, Microsoft Intune protects your organisation’s data and helps you control how your team access and share business information. This is important for today’s workforce, who use flexible working and more devices than ever before. Even if you think you’re on top of your cybersecurity strategy, there can be gaps. Microsoft Intune will give you the peace of mind that your business data is secure – wherever and however your team work.

If you’d like to discuss how to secure and manage your devices and applications using Microsoft Intune, contact us for a free discussion with one of our certified M365 technical consultants.

Let's Talk