Getting started with Microsoft Endpoint Manager

Microsoft

Jun 29, 2021

By Adrian Moore – Sr Program Manager | Microsoft Endpoint Manager

As part of the Microsoft 365 license, your company is likely entitled to adopt Microsoft Endpoint Manager, which brings together Microsoft Intune and Configuration Manager into a unified platform to help protect and manage your organization's devices and apps. Now what? Let's go through the basics of managing your organization's devices and mobile applications with Microsoft Intune.

A global cloud service architecture

Microsoft Intune was architected from the cloud and for the cloud and is closely tied with Azure Active Directory (Azure AD). Intune controls integrate with Azure AD and Conditional Access (CA) policies to help you manage access to your organization’s apps and devices and protect and isolate corporate data. Intune enhances CA with device-based compliance and can also take risk signals from Microsoft Defender for Endpoint, as well as mobile threat defense (MTD) apps. Intune also integrates with network access control (NAC) solutions to ensure only compliant devices can connect to your corporate network.

App stores are key parts of an Intune deployment. For iOS devices, you can use either the Apple Volume Purchase Program (VPP), which is part of Apple Business Manager, or the App Store. In the case of Android, either the Google Play app store for device administrator devices, or Managed Google Play for Android Enterprise devices can be used. For Windows, the Microsoft Store for Business provides a great experience for app deployment.

Your administrative management experience is centralized from the Microsoft Endpoint Manager admin center, which uses Microsoft Graph calls to the Intune service. Every action from app configuration to mobile device management settings to security in the admin center is a Microsoft Graph call. If you’re not familiar with Graph, take some time to understand it—specifically how it integrates with Microsoft Intune.

Intune Service Architecture.

Initially, Intune began as a combination of a set of services running on physical machines in a private datacenter, and a set of distributed services running on Azure. By 2018, all Intune services were re-architected to run on Microsoft Azure. Today, Intune’s cloud services are built on Azure Service Fabric. All services are deployed to a Service Fabric cluster consisting of a group of front-end and middle-tier nodes. We refer to these clusters as an Azure Scale Unit, or ASU.

Here’s what the backend architecture looks like:

Intune ASU Architecture: Global View.

There are 18 clusters spread over three regions in North America, Europe, and Asia Pacific. Each cluster has about 5,000 services running, all partitioned to scale out.
The clusters are completely isolated and independent of one other. They are hosted in different subscriptions and datacenters and cannot access each other.
We back up data to an external persisted Azure table/blob storage. This enables fast recovery for replicas in case of catastrophic failure.

Moving from physical machines in a private datacenter to a cloud-based, micro-service architecture enabled Microsoft to scale Intune to billions of devices and apps and to rapidly deliver new innovations. Customers experienced increased reliability, stability, and performance of the service. You can find out more about the development of this architecture in the blog post How we built (rebuilt!) Intune into a leading globally scaled cloud service.

Planning and deployment

A successful adoption or migration to Microsoft Intune starts with a plan. This plan depends on your company’s current device management solution, business goals, and technical requirements. Additionally, you should include key stakeholders who will support and collaborate with the plan.

The following resources will help plan and deploy Intune:

Device enrollment

You can manage devices and apps, and how they access company data, in Intune. To use Intune mobile device management (MDM), the devices must first be enrolled in the Intune service. When a device is enrolled, it's issued an MDM certificate. This certificate is used to communicate with the Intune service.

Devices can be enrolled on the following platforms. For the specific versions, see Supported operating systems:

Android
iOS/iPadOS
macOS
Windows

Different platforms may have additional requirements. For example, iOS/iPadOS and macOS devices require an MDM push certificate from Apple.

The following resources will help you learn more about device enrollment for each platform:

Device configuration

Microsoft Intune includes settings and features you can enable or disable on different devices within your organization. These settings and features are added to configuration profiles. You can create profiles for different devices and different platforms, including iOS/iPadOS, macOS, Android device administrator, Android Enterprise, and Windows. Then, use Intune to apply or "assign" the profile to the devices.

The following resources will help you understand how to configure device settings:

Compliance policies

MDM solutions like Intune can help set requirements for users and devices to protect organizational data. In Intune, you manage these requirements with compliance policies. There are two parts to compliance policies in Intune:

Compliance policy settings  – Tenant-wide settings that are like a built-in compliance policy that every device receives. Compliance policy settings set a baseline for how compliance policy works in your Intune environment, including whether devices that haven’t received any device compliance policies are compliant or noncompliant.
Device compliance policy – Platform-specific rules administrators can configure and deploy to groups of users or devices. These rules define requirements for devices, like minimum operating systems or the use of disk encryption. Devices must meet these rules to be considered compliant.

The following articles will help you understand how to create and monitor compliance policies in Intune, as well as how to integrate with MTD and NAC solutions, and Conditional Access:

Intune app protection policies

Intune app protection policies (APP) allow you to protect organizational data within an application. Together with app configuration capabilities, you can implement mobile application management (MAM) in Intune to help protect sensitive data that is accessed from both managed and unmanaged devices. With MAM without enrollment (MAM-WE), you can use Intune to manage work or school-related apps, including productivity apps such as the Microsoft Office apps, on almost any device, including personal devices in bring-your-own-device (BYOD) scenarios. See the official list of Microsoft Intune protected apps available for public use.

To get an overview of app protection policies and how they work, check out the following articles:

Delivering apps to devices

Intune supports a wide range of apps, including store apps for iOS, macOS, Android, and Windows, and line-of-business (LOB) apps. You can manage app deployment from the Microsoft Endpoint Manager admin center. Also, you can use Intune to orchestrate store app deployment with Managed Google Play, the Apple App Store, and the Microsoft Store.

Check out these resources to find out how to add and manage apps with Intune:

Privacy and personal data in Intune

You should understand how Intune collects, stores, retains, processes, secures, shares, audits, and exports personal data. Microsoft Intune does not use any personal data collected as part of providing the service for profiling, advertising, or marketing purposes.

The following resources will help you understand privacy and personal data in Intune:

Intune service updates

New feature releases for Intune typically have a six to eight-week cadence, from planning to release, called a sprint. Intune releases use a YYMM naming convention. For example, 2107 would be a July 2021 release.

How updates are released

Our monthly release process is a methodical update of many different environments, first across multiple Azure services and then in the admin center which makes it available for use. An internal environment called Self Host is the first environment to receive the release. This is used only by the Intune engineering teams. We then roll out to the Microsoft tenant, which manages over 650,000 devices. Once we’ve validated there are no key issues with the services, we then begin rolling out to customer environments in a phased approach. Once all tenants have been successfully updated, we update the Microsoft Endpoint Manager admin center. This phased approach lets us identify issues before they impact the service or our customers.

Updating the Company Portal app is a different process. Microsoft is subject to the release requirements and processes of the Apple App Store and Google Play, and sometimes mobile carriers. It isn’t always possible to align Intune release updates with updates to the Company Portal. See UI updates for Intune end-user apps for information on Company Portal updates.

How can I tell if a service update is complete for my tenant?

Sign in to the Microsoft Endpoint Manager admin center.
Select Tenant administration > Tenant status to see your tenant’s name and location, MDM authority, account status, and service release number. In the example below, the tenant has the 2104 (April 2021) service release.

Example screenshot of the Tenant admin > Tenant status blade.

Keeping up to date about releases

Keeping up to date about releases and changes is an important part of your Intune deployment. Intune provides several ways to stay current about latest updates to the service:

What's new in Intune  – Learn what’s new each week in in Microsoft Intune, including an overview of the current release, notices, information about earlier releases, and other information. Content is published at the end of the current sprint once the UI updates start rolling out in the Microsoft Endpoint Manager admin center.
Message Center – When the service update is completely rolled out, you’ll see a message posted in the Tenant status – Service health and message center, or you can view the same messages in the Message Center at portal.office.com. We use service APIs to pull just the Microsoft Endpoint Manager messages from Office into the Microsoft Endpoint Manager admin center UI.
Microsoft Intune Tenant Status page  - A centralized hub where you can view current information and communications about the Intune service and your tenant status.
1. Navigate to the Microsoft Endpoint Manager admin center.
2. Select Tenant administration > Tenant status > Service Health > Message center.
3. Select a message under INTUNE MESSAGE CENTER to read it.
Get the latest announcements from Twitter — @IntuneSuppTeam.

Intune also shares information about updates in development, posts service incidents in Microsoft Endpoint Manager admin center, and can send email notifications. To learn how to stay current with this information, see Staying up to date on Intune new features, service changes, and service health.

We hope you found this overview of Intune helpful. Check out Tips and tricks for managing Intune to continue learning how to get the best out of your Intune deployment.