First published on TechNet on Jan 04, 2016
Happy New Year, people! Let me welcome you to the first post of 2016 for the Ask PFE Platforms blog.
I have a history of posting on our blog around the holidays/New Year's and 2016 is no different.
Last year, I did a "New Year's" post about Azure AD for the old-school AD admin:
In keeping with that same "old-school" spirit, today I'll discuss InTune for the old-school GPO Admin.
Let's do a quick level-set for GPOs:
This works all well and good in a traditional on-prem environment where a DC is never very far away. Even in a remote/disconnected situation, as long as the system will regularly connect back up to the on-prem network (and DC), GPOs have been providing configuration control for well over a decade.
In today's mobile-first, cloud-first world, things are evolving. There are more and more situations where there is no "on-prem" or connectivity to on-prem AD/DCs is few and far between (if ever). Another situation that is now common is "Bring Your Own Device" (BYOD) - where the devices that people use may not be Windows-based, aren't corporate owned and likely aren't joined to the corporate AD).
So how do we manage devices and users who are out and about?
"Intune is a cloud-based service that lets you manage mobile devices, PCs, and apps so your users can be productive while you protect your company's information."
InTune does wwwwayyyy more than just device settings management (which you'll see as you read on) but in that regard, at a high level, InTune settings management is the same idea as Group Policy: There is a setting (or a collection of settings) that we want to apply to a given device.
The design and implementation is different, though. Whereas Group Policy was designed for a well-connected, private on-prem environment, InTune was designed more for a public Internet-connected environment.
InTune utilizes open standards for Mobile Device Management (MDM). Settings are defined via properly formatted XML config files that adhere to a set of open standards known as "OMA-DM" (developed by the Open Mobile Alliance - http://openmobilealliance.org ). Client-side code retrieves the config file(s) as messages from a secure Internet URL and applies the settings to an "enrolled" system. Other protocols used are WAP or Wireless Application Protocol – often used by the back-end to 'push' a notification to a device to come get a configuration. Outside of the MDM side, InTune has a client for rich end-point management (actually, the Intune client is multiple sub-client pieces based on SCCM, SCOM and SCEP agents).
One point of differentiation between GPOs and InTune is in settings quantity. With InTune, there are far fewer settings than in the GPO world. However, in many ways, 'less is more' - with Intune, the idea is to simplify. Also, in my experiences, there is a fairly narrow list of "common" GPO settings used by most orgs. In fact, I'd wager that there are GPO settings that you and I have never even looked at.
Another difference is for the BYOD scenarios. With GPOs, the device needs to be domain-joined for the GPO to apply but with InTune, that isn't the case. You can manage settings on a non-Domain-joined device; such as a user's personal tablet or smartphone. This way, your users can use their own devices to work with corporate apps/data, yet they aren't fully locked down. InTune "enrollment" can ensure those devices adhere to certain compliance levels/settings for your corporate data/apps - such as requiring a PIN or device encryption - but other aspects of the device remain unaffected. A recent feature-add for InTune is known as "Mobile Application Management" or MAM. The idea with MAM is for IT to manage/control the apps/data on a device without the device even needing to be enrolled in the InTune service. More about this feature can be found here:
One more difference between InTune and Group Policy is support for non-Windows platforms. With GPO, that never really took off (outside of a few exceptions) but with InTune, you can manage non-Windows devices (Android, IOS), as well as Windows Phone and tablet (RT) devices.
The back end:
The front end:
The InTune Client can be installed on Windows PCs that don't have built-in support - such as Windows 7
!! ALERT !! – the agent will not install if there is already an SCCM agent installed on the client
I can't really demo much for you on a 'static' blog post but I can provide some screen shots here so you get a feel for the UI/workflow.
The following is based on an InTune subscription with a Windows 7 and Windows 8.1 PC enrolled, as well as a Windows Phone 8.1 device.
…including detailed hardware inventory (which can flow through to your SCCM inventory if you've enabled SCCM integration).
Using the admin portal, there are common Configuration Policies and Compliance Policies that can be defined for various flavors of devices (i.e. Windows, Android, IOS):
Custom settings can be defined with an element of the OMA standard known as OMA-URI ("Uniform Resource Identifier"). Custom settings support rapidly expanded in Win 8.1 and again with Win 10 but like I said before, it isn't to the same level of Group Policy (or the almost infinite possibilities of GPP):
I clicked Yes and I was prompted to select a group to deploy the policy to:
Double-click the desired Alert and configure the details:
Add a recipient(s) for the Notification:
A sample email from the above Alert/Notification:
Here are some common questions/tasks and how we do them with InTune:
"When a policy or app is deployed, Intune immediately begins attempting to notify the device that it should check-in with the Intune service. This typically takes less than 5 minutes."
"If a device doesn't check in to get policy after the first notification is sent, 3 more attempts are made. If the device is offline (for example, it is turned off, or not connected to a network) then it might not receive the notifications."
Platform |
Check-in frequency after initial notification |
iOS |
Every 6 hours |
Android |
Every 8 hours |
Windows Phone |
Every 8 hours |
Windows PCs enrolled as devices |
Every 24 hours |
Platform |
Frequency |
iOS |
Every 15 minutes for 6 hours and then every 6 hours |
Android |
Every 3 minutes for 15 minutes then every 15 minutes for 2 hours, and then every 8 hours |
Windows Phone |
Every 5 minutes for 15 minutes then every 15 minutes for 2 hours, and then every 8 hours |
Windows PCs enrolled as devices |
Every 3 minutes for 30 minutes, and then every 24 hours |
I don't normally like web portals much but I have to say, the InTune portal is excellent .
With the clean, uncluttered UI, the right-click context menus, obvious clickable links/actions (in blue), information/details, copy text, printing, exporting, etc, I honestly forgot I was using a web portal.
A few more resource – the first is a is a long but very informative whitepaper about much of the MDM details (this is required reading for a background in MDM protocols and such)
Well folks, there you have it…some discussion, thoughts and screenshot-mania around InTune from the viewpoint of an old-school GPO Admin.
As you can see, InTune is a feature-rich solution that addresses many requirements, including device settings management but also well beyond. There are some aspects of Intune that I didn't touch on - such as SCCM integration, app deployment and licensing,
Even in leaving out those elements, this post is one of those projects that just kept growing. The more I worked on it, the more I learned and the longer the post became.
Hopefully, you found it helpful and Microsoft Intune is a little less mysterious for you.
This is my last post for the Ask PFE Platforms blog as I'm departing the PFE ranks and taking on a new role at Microsoft. Thanks for your readership and comments over the last several years - this blog has been one of my most enjoyable endeavors.
Soon, I hope to find another TechNet blog where I'll be able to make some more Internet noise but the other Plat PFEs here will keep you informed and entertained.
Cheers - and here's to getting/being more "Cloud Ready" in 2016!
Hilde
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.