2024 Nerdio Training Camps for MSPs now open for registration!
Gartner data indicates the DaaS (desktop-as-a-service) market will grow from $3.1 billion in 2023 to
With hundreds of locations across North America, TeamLogic IT is an MSP franchise organization that
UCB, a global biopharma company with a rich history dating back to 1928, touts a
Microsoft Intune is a cloud-based suite of tools providing device and endpoint management. It provides IT admins granular control of physical devices like laptops, mobile devices, tablets, and virtual desktops.
Both corporate and personal devices can be enrolled. And there is management functionality available to restrict personal devices to ensure compliance and/or limit any user privacy concerns.
In many scenarios where users are connecting their personal devices to corporate resources (perhaps to edit or view documents), the IT team will require that the device is enrolled in Intune. This allows the IT team to validate that the device is healthy and does not pose a risk to the corporate environment.
Intune is closely linked to Azure Active Directory (Azure AD), meaning devices added to Azure AD can be enrolled in Intune. Application and policy assignments are controlled using Azure AD groups. Intune does not natively require or use VPN functionality to manage devices. However, if VPN connectivity is required for a user or device, Intune has the ability to deploy and configure VPNs via policy.
Lastly, Intune is licensed predominantly on a per-user basis, however per-device options are available for shared or kiosk-type scenarios.
Microsoft Azure and Microsoft Intune are both cloud-based services offered by Microsoft, but they serve different purposes.
Microsoft Azure is a comprehensive public cloud computing platform that provides a wide range of services including VMs (virtual machines), storage, databases, analytics, and more. It’s designed to help organizations build, deploy, and manage applications and services in the cloud, as well as enable them to run workloads on-premises via secure hybrid cloud environments. Azure provides a scalable and flexible infrastructure that can be used to meet a wide range of business needs, from developing and testing applications to running large-scale enterprise workloads.
Microsoft Intune is a cloud-based service that enables organizations to manage and secure physical and mobile devices and apps from a central location. It allows IT administrators to set policies for device configuration, control access to company resources, and protect corporate data. Intune helps organizations to manage the entire lifecycle of their devices, from enrollment and configuration to application and update management.
In summary, Microsoft Azure provides a broad range of cloud computing services, and Microsoft Intune is focused specifically on device and endpoint management. Both services are designed to help organizations leverage the power of the cloud to enhance their operations and security posture, and better achieve business goals.
MDM and Intune are two terms that can be used interchangeably; therefore, it can be difficult to identify the differences.
MDM is a broad technology term for management solutions which allow IT administrators to manage mobile devices, such as smartphones and tablets, from a central location. It is designed to provide a complete solution for managing devices, endpoints, and security for organizations of all sizes. It provides a way to remotely configure and manage device settings, enforce security policies, and distribute apps and updates. MDM is typically used in enterprise environments to ensure that mobile devices are secure, compliant, and optimized for productivity. The term MDM is vendor-agnostic, it does not refer to any one specific cloud provider or solution.
Intune is a cloud-based service from Microsoft that provides MDM capabilities, as well as additional features for managing devices, apps, and PCs. It offers a comprehensive set of tools for device enrollment, configuration, and management, as well as application and update management, conditional access, and protection of corporate data.
As of October 12, 2022, at Microsoft Ignite, Microsoft changed the name of their endpoint management suite to Microsoft Intune, replacing the previous Microsoft Endpoint Manager (MEM) name.
Intune has come a long way since its inception. From what started out in the 2010’s as an MDM solution in the traditional sense of managing mobile phones, evolved during the decade to encompass all types of endpoints including laptops, desktops and IoT devices. The reason Intune is misunderstood by many is partly due to its evolution over the years, through a few name changes. People are most often confused by what Intune can do vs what its use cases are.
Microsoft Intune allows centralized control and management of devices, including personal and corporate devices, tablets, phones, Windows, MacOS, and more. Without Intune, managing these devices would be time-consuming and complex, with no central tracking or compliance enforcement. Intune provides a zero-security trust model and allows for policy enforcement across all device types.
Intune helps organizations with a wide variety of use cases including centralized device management and control, application management and deployment, securing corporate and personal devices, compliance and policy management, and supporting remote and hybrid work.
Intune is widely recognized for its MDM and MAM capabilities as detailed more in depth below.
Intune is a cloud-based service from Microsoft that provides Mobile Device Management (MDM) capabilities, as well as additional features for managing devices, apps, and PCs. It offers a comprehensive set of tools for device enrollment, configuration, and management, as well as application and update management, conditional access, and protection of corporate data.
Besides managing company-owned devices with MDM, Intune delivers security at the application level with Mobile Application Management (MAM) for personal devices. It’s the perfect solution to support modern and hybrid work, while optimizing manageability and enterprise mobile security.
Intune is also a security play as well. While the core of its functionality is around management of devices, with the power of conditional access in Intune, admins can enforce Zero Trust policies when it comes to access to corporate data and apps. Not too long ago, if you used a domain-joined computer within a corporate network, you were deemed an authorized user of company data. Now, Zero Trust policies can be enforced no matter the device, location, or owner. Intune is key to enforcing these policies across all endpoints.
Intune is used in a wide variety of industries such as education, medical, construction, finance, and government. The users of Intune are typically IT admins in any given organization, including MSPs (Managed Service Providers), and are admins tasked with managing corporate and BYOD devices.
In larger organizations there are specific roles or groups of people whose only task is to manage devices and endpoints and Intune has quickly become the go-to solution for endpoint management.
Microsoft Intune supports a wide range of devices, including:
Intune can manage physical PC and laptop devices, Azure Virtual Desktops and Microsoft Cloud PC’s, including those that are personally owned by employees.
Intune can manage iPhones and iPads running iOS 8.0 or later, including those that are personally owned by employees.
Intune can manage Android smartphones and tablets running Android 4.4 or later, including those that are personally owned by employees.
Intune can manage macOS computers running macOS 10.11 or later.
Admins can manage all types of devices with Intune including but not limited to Apple devices, Android devices, Windows OS machines, MacOS machines, LinuxOS machines, ChromeOS and other IoT devices including both Windows and Linux thin clients. To manage these devices, they must be Intune Enrolled which can be done using several methodologies depending on the type of device.
Once a device is enrolled, there are plenty of options for managing it. Depending on what type of device it is, some options may be limited. Using Intune, admins can control device configuration, security policies for the device, device updates, and determine whether the device is considered compliant as well as control how and whether corporate data and applications are allowed to be access using the device.
Admins can also perform other functions such as wiping a device to prepare it for a new employee, reassign a device to another user in the organization, forcing it to patch, and other basic controls of a device such as power off, restart, etc.
Intune offers a simplified way to implement so many security measures that contribute to an organization’s overall security posture. All these years, we’ve been managing endpoints at scale mainly through Group Policy Objects (GPO). Which did exactly what they had to do: offer lots of features to configure devices the way we wanted.
In recent years, the amount of cybersecurity attacks and incidents have increased, causing organizations to embrace a Zero Trust security approach in response. Part of this approach is to prevent an attacker from leveraging lateral movement from an endpoint onto the network or critical backend infrastructure. Let’s face it, end users and their endpoints are often the weakest links in the security chain. Identity-based and social engineering attacks, like phishing, are the number one risk for most organizations. Preventing access to critical infrastructure from compromised endpoints should be a key strategy in a modern security approach.
That means it is time to shift away from GPOs, as they lean on having a line-of-sight with organizations’ traditional Active Directory. With Intune, organizations can set the same security settings that GPO have handled for many years, while improving security and compliance.
Intune also offers compliance policies. Which power conditional access to make sure only secure devices can access company data and resources or prevent data loss by applying Application Protection Policies. Companies can also seamlessly onboard Intune-enrolled devices into Microsoft Defender for Endpoints for additional analytical insights and to remediate security threats
As with any technology solution, admins and users alike are always curious about privacy in Intune. Things like, ‘which data does Intune collect, and will my employer be able to track my location?’ The answer is, like with many IT-related questions, it depends. For personal devices, only strictly necessary data will be collected, and location is not part of that. For corporate devices, location data will be collected in MDM scenarios only.
Intune obtains personal data from various sources, such as the Intune admin center, enrolled devices, third-party services, and diagnostic information. Intune does not collect or allow administrators to access an end user’s calling or web browsing history, personal email, text messages, contacts, passwords to personal accounts, calendar events, or photos.
When enrolling corporate or personal devices with Intune, the service will collect, process, and share only the necessary personal data to support business operations and ensure a seamless user experience.
To ensure that all data is treated with the utmost care and sensitivity, Intune separates the information it collects into two categories: required and optional. Within each category, the data is further divided into customer data, personal data, diagnostic data, and service-generated data. By collecting and analyzing this data, Intune can provide a tailored and efficient management experience that meets any organization’s specific needs.
Intune’s Policies Can Be Broken Down into 4 Main Types:
These policies exist to provide management to a particular enrolled device and how that device’s settings are configured. For example, a Windows 11 device can be configured out of the box to join a specific wifi network out of the box without the end user having to type in credentials. IT might decide to restrict the user of the device to adding a personal OneDrive account to deter copying data to a personal account. There are literally thousands of configuration settings to perform on any given device.
These are a set of rules defined by IT that determines whether a specific device is considered compliant by the organization. Some examples of things you can require on a Windows 11 device for compliance include requiring an approved antivirus solution is installed with updated virus definitions, having Microsoft Defender real-time protection turned on, ensuring the device has a compliant TPM chip for boot security, or encrypting the device via BitLocker. This type of policy can also allow certain actions to be taken if a device is found non-compliant, such as marking it non-compliant after a certain number of days, automating an FYI email to be sent to an admin, or retiring a device due to non-compliance.
These are groups of security policies configured all from one place that are specific to a type of device. For example, on a Windows 10 or Windows 11 device, an admin can enforce BitLocker to be enabled, tell an Edge or Chrome browser to not let end users store passwords using the browser-built in password manager, block auto-joining wifi networks, or require a password after a machine comes online. There are no security baselines just yet for other operating systems besides Windows as of March 2023.
These policies specifically outline who, what device can login, where they can login and access all types of information in M365 and Azure. These are very powerful yet very confusing policies to configure as one incorrectly enforced setting can potentially even lock ourselves out from access to the resources, we are creating these types of policies to try to protect.
Intune, just like other Microsoft products, has several ways of licensing. It’s already included with any of these licenses: Microsoft 365 Business Premium/E3/E5, EMS E3/E5, Microsoft 365 F1/F3 and Microsoft 365 G3/G5. It can be purchased all by itself a la carte for $8 per user per device but is much more economically attractive as part of a bundle.
Each user would need one of the above licenses assigned to be able to be managed via Intune. Each user is entitled to up to 15 devices per license. Microsoft also offers organizations a per-device license type as well for devices that aren’t associated to any user. However, for an IT admin to start setting up policies and Intune for their tenant, only one applicable license is required
As of March 2023, Intune offers three plan types that organizations can upgrade to if they wish you access functionality:
This contains all previous Intune features, and is included with subscriptions to Microsoft 365 E3, E5, F1, F3, Enterprise Mobility + Security E3 and E5, and Business Premium plans.
This plan offers additional Application delivery options for iOS and Android devices and provides additional management capabilities for specialist devices. This add-on is charged on a per-user per-month basis, in addition to the Plan 1 costs.
The full suite offers all the features of Plan 2, plus a range of additional benefits, including remote help and privilege management for users. This add-on is charged on a per-user per-month basis, in addition to the Plan 1 costs.
Full details on all features can be found on Microsoft’s site.
Further, as documented here, Intune is included in a variety of SKUs commonly used in other industries, such as the government and education sectors.
Admins can also obtain Intune add-ons such as Microsoft Intune Remote Help or Microsoft Intune Endpoint Privilege Management for an additional per user per month cost. Add-ons in the Plan 2 and Intune Suite (detailed above) include advanced features such as Microsoft Intune Tunnel and management of specialty devices. Additional information about these add-on plans can be found here.
Intune is licensed predominantly on a per-user basis, however per-device options are available for shared or kiosk-type scenarios.
Pricing for Intune can be confusing as there are various ways to obtain licenses as profiled above. Traditionally, Intune has been available as part of another SKU. In March 2023 Microsoft announced standalone Intune plans as well.
Managed Service Providers (MSPs) that work with SMB customers have typically already purchased Microsoft 365 Business Premium licenses for their customers’ staff. These end-users routinely require a Microsoft 365 Business Premium license to use Outlook, Word, Excel and PowerPoint. That same Microsoft 365 Business Premium license entitles those users to Intune. As a result, for a significant portion of MSPs and their SMB customers, Intune is already available for free. They can simply start taking advantage of the Intune licenses they are already paying for via M365 Business Premium licenses.
M365 Business Premium is limited to organizations with 300 employees or less. As an organization grows, the next natural step is to purchase a Microsoft 365 enterprise (E3 or E5) license. This is the most common license used at larger organizations including very large enterprises with tens of thousands of users. As a result, a significant portion of large organizations have access to Intune as well.
Let’s use an example to illustrate how Intune may be used to manage devices only and not users. Consider a kiosk at a conference for attendees to check-in to the conference. No particular user is logged in to the kiosk device, typically a Windows 10/11 device like a tablet. It is very important to administer, apply updates and secure the device. Microsoft offers device-only licenses for such scenarios. These licenses cost $2 per device per month.
Ratione labore est ipsum minus sit ex qui aut dignissimos. Quibusdam est.
Gartner data indicates the DaaS (desktop-as-a-service) market will grow from $3.1 billion in 2023 to
With hundreds of locations across North America, TeamLogic IT is an MSP franchise organization that
UCB, a global biopharma company with a rich history dating back to 1928, touts a
Excellent product – amazing support. Nerdio has taken the majority of the complexity out of deploying AVD and the management is outstanding. The support is second to none and they are an amazing partner!
One word – Awesome! In about 2 hours, we went from no Azure presence to deployed Workstations for remote users in both US and India. If you buy any tools for Azure Virtual Desktop – make it this one. And now.
No other way to do AVD. Started with “normal” AVD and it was very cumbersome to setup and difficult to manage natively in Azure. We were able to set it up and get test AVD virtuals running in a fraction of the time we wasted without it. If you’re planning to setup and use a functional AVD environment and you skip Nerdio, you’ll be doing it wrong. Their support is great and the product works well, super impressed.
Worth every penny! This product makes AVD easy to manage with all its robust features. It also clearly shows you everything it is doing step by step so you can see how the “sausage is made”. You get the added benefit of being able to pull logs from with the GUI. Most of all it saves you money. The support team is also incredible – fast, responsive and knowledgeable.
© Copyright Nerdio 2024. All Rights Reserved.
