By Adrian Moore – Sr Program Manager | Microsoft Endpoint Manager
As part of the Microsoft 365 license, your company is likely entitled to adopt Microsoft Endpoint Manager, which brings together Microsoft Intune and Configuration Manager into a unified platform to help protect and manage your organization's devices and apps. Now what? Let's go through the basics of managing your organization's devices and mobile applications with Microsoft Intune.
Microsoft Intune was architected from the cloud and for the cloud and is closely tied with Azure Active Directory (Azure AD). Intune controls integrate with Azure AD and Conditional Access (CA) policies to help you manage access to your organization’s apps and devices and protect and isolate corporate data. Intune enhances CA with device-based compliance and can also take risk signals from Microsoft Defender for Endpoint, as well as mobile threat defense (MTD) apps. Intune also integrates with network access control (NAC) solutions to ensure only compliant devices can connect to your corporate network.
App stores are key parts of an Intune deployment. For iOS devices, you can use either the Apple Volume Purchase Program (VPP), which is part of Apple Business Manager, or the App Store. In the case of Android, either the Google Play app store for device administrator devices, or Managed Google Play for Android Enterprise devices can be used. For Windows, the Microsoft Store for Business provides a great experience for app deployment.
Your administrative management experience is centralized from the Microsoft Endpoint Manager admin center, which uses Microsoft Graph calls to the Intune service. Every action from app configuration to mobile device management settings to security in the admin center is a Microsoft Graph call. If you’re not familiar with Graph, take some time to understand it—specifically how it integrates with Microsoft Intune.
Intune Service Architecture.
Initially, Intune began as a combination of a set of services running on physical machines in a private datacenter, and a set of distributed services running on Azure. By 2018, all Intune services were re-architected to run on Microsoft Azure. Today, Intune’s cloud services are built on Azure Service Fabric. All services are deployed to a Service Fabric cluster consisting of a group of front-end and middle-tier nodes. We refer to these clusters as an Azure Scale Unit, or ASU.
Here’s what the backend architecture looks like:
Intune ASU Architecture: Global View.
Moving from physical machines in a private datacenter to a cloud-based, micro-service architecture enabled Microsoft to scale Intune to billions of devices and apps and to rapidly deliver new innovations. Customers experienced increased reliability, stability, and performance of the service. You can find out more about the development of this architecture in the blog post How we built (rebuilt!) Intune into a leading globally scaled cloud service.
A successful adoption or migration to Microsoft Intune starts with a plan. This plan depends on your company’s current device management solution, business goals, and technical requirements. Additionally, you should include key stakeholders who will support and collaborate with the plan.
The following resources will help plan and deploy Intune:
You can manage devices and apps, and how they access company data, in Intune. To use Intune mobile device management (MDM), the devices must first be enrolled in the Intune service. When a device is enrolled, it's issued an MDM certificate. This certificate is used to communicate with the Intune service.
Devices can be enrolled on the following platforms. For the specific versions, see Supported operating systems:
Different platforms may have additional requirements. For example, iOS/iPadOS and macOS devices require an MDM push certificate from Apple.
The following resources will help you learn more about device enrollment for each platform:
Microsoft Intune includes settings and features you can enable or disable on different devices within your organization. These settings and features are added to configuration profiles. You can create profiles for different devices and different platforms, including iOS/iPadOS, macOS, Android device administrator, Android Enterprise, and Windows. Then, use Intune to apply or "assign" the profile to the devices.
The following resources will help you understand how to configure device settings:
MDM solutions like Intune can help set requirements for users and devices to protect organizational data. In Intune, you manage these requirements with compliance policies. There are two parts to compliance policies in Intune:
The following articles will help you understand how to create and monitor compliance policies in Intune, as well as how to integrate with MTD and NAC solutions, and Conditional Access:
Intune app protection policies (APP) allow you to protect organizational data within an application. Together with app configuration capabilities, you can implement mobile application management (MAM) in Intune to help protect sensitive data that is accessed from both managed and unmanaged devices. With MAM without enrollment (MAM-WE), you can use Intune to manage work or school-related apps, including productivity apps such as the Microsoft Office apps, on almost any device, including personal devices in bring-your-own-device (BYOD) scenarios. See the official list of Microsoft Intune protected apps available for public use.
To get an overview of app protection policies and how they work, check out the following articles:
Intune supports a wide range of apps, including store apps for iOS, macOS, Android, and Windows, and line-of-business (LOB) apps. You can manage app deployment from the Microsoft Endpoint Manager admin center. Also, you can use Intune to orchestrate store app deployment with Managed Google Play, the Apple App Store, and the Microsoft Store.
Check out these resources to find out how to add and manage apps with Intune:
You should understand how Intune collects, stores, retains, processes, secures, shares, audits, and exports personal data. Microsoft Intune does not use any personal data collected as part of providing the service for profiling, advertising, or marketing purposes.
The following resources will help you understand privacy and personal data in Intune:
New feature releases for Intune typically have a six to eight-week cadence, from planning to release, called a sprint. Intune releases use a YYMM naming convention. For example, 2107 would be a July 2021 release.
Our monthly release process is a methodical update of many different environments, first across multiple Azure services and then in the admin center which makes it available for use. An internal environment called Self Host is the first environment to receive the release. This is used only by the Intune engineering teams. We then roll out to the Microsoft tenant, which manages over 650,000 devices. Once we’ve validated there are no key issues with the services, we then begin rolling out to customer environments in a phased approach. Once all tenants have been successfully updated, we update the Microsoft Endpoint Manager admin center. This phased approach lets us identify issues before they impact the service or our customers.
Updating the Company Portal app is a different process. Microsoft is subject to the release requirements and processes of the Apple App Store and Google Play, and sometimes mobile carriers. It isn’t always possible to align Intune release updates with updates to the Company Portal. See UI updates for Intune end-user apps for information on Company Portal updates.
Keeping up to date about releases and changes is an important part of your Intune deployment. Intune provides several ways to stay current about latest updates to the service:
Intune also shares information about updates in development, posts service incidents in Microsoft Endpoint Manager admin center, and can send email notifications. To learn how to stay current with this information, see Staying up to date on Intune new features, service changes, and service health.
We hope you found this overview of Intune helpful. Check out Tips and tricks for managing Intune to continue learning how to get the best out of your Intune deployment.
For additional information on this subject, see the following documentation:
Tutorial: Walkthrough Intune in Microsoft Endpoint Manager
High-level architecture for Microsoft Intune
If you have any questions, reply to this post or reach out to @IntuneSuppTeam on Twitter.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.