SOLVED

InTune SCCM Benefits

Copper Contributor

we have an environment with mobile devices all Android OS and Samsung where some of the devices are shared by different users. We also have about 800 desktops , 400 laptops and 100 thin clients - we we have default mail app on all mail devices currently, Airwatch in a DSaaS environment and also Windows Imaging Services and PDQ Deploy .

 

I was wondering how implementing how InTune and SCCM Benefits can compare and solve the above scenarios if we choose to move to InTune\SCCM infrastructure

 

Any presentation documentation around the above will also be nice

 

Many Thanks in advance

3 Replies
best response confirmed by ED Jones (Copper Contributor)
Solution

800 desktops 

400 laptops

100 thin clients 

Default mail app on all mail devices currently

Airwatch in a DSaaS environment 

Windows Imaging Services and PDQ Deploy

Data Loss Prevention technology is not currently deployed

 


This is a rather large question you are asking, which is why I would imagine there have been lots of views of your question, with no replies. It's going to take a bit to unpack this, so hang with me for a long response.

The modern recipe is to use Intune to manage the desktops and laptops. For your size of organization, you may be a bit small for an SCCM deployment. It's a debatable point, but in general, if you can avoid SCCM, then you'll have less overhead and you may be able to manage with Intune only. For example, Intune can manage Windows 10 as a device, just like managing an iOS or Android device. Intune can push software to Windows 10, but there are limitations to consider. For example, if you need to install an .MSI file under the system/device context, you can only do that with SCCM, that is not yet supported with Intune. But if you can get away with installing an .MSI file under the user context, then Intune's software deployment capabilities may suit you fine. You'll want to review the documentation of Intune (link provided below) to get a fuller appreciation and understanding of its strengths and limitations.

SCCM may come into play for operating system deployment, but that too is going in the direction of AutoPilot with auto-enrollment into Intune.

If you are going the path of Microsoft, we would encourage you to re-think using the default mail app, and plan to standardize the Microsoft Outlook App for iOS and Android. That way, you can enforce Intune's Mobile Application Management policies, which are in effect a form of data loss prevention on the device, as it prevents users from copying and pasting data from business apps into personal apps, and blocks the Save-As from a business app into a personal storage app. (MAM has at least 15 features designed to protect business apps). Whereas, if you keep using the native mail client on these devices, you're limited on what you can do, and also limited on multi-factor authentication, which is natively supported in the Microsoft Outlook App for iOS and Android.

SCCM may be a better fit for managing the underlying server infrastructure that is powering your Thin clients - as I assume those are connecting to Citrix or Microsoft Remote Desktop Farms. In that case, Intune wasn't designed for that management stack, so you would be suited for SCCM there.

 

The Microsoft story for DLP is something you would enable in your Office 365 tenant, and if necessary, deploy the Azure Information Protection with P2 license functionality to automatically detect sensitive information that is created locally but not yet uploaded into Office 365. Think about O365 DLP as being effective as soon as users upload content into SharePoint, OneDrive, Teams, or send emails in Exchange Online. Think about AIP as a solution that fills the gap when a user creates local content and stores it on a USB drive or uploads it to an unsanctioned Google Drive/Drop Box site. AIP with auto-classification will scan for sensitive information and encrypt it. Or you can configure it to classify everything at the top-secret level and require users to de-classify content (this might make sense for research and development departments, where they are handling sensitive intellectual property).

It sounds like you would benefit from a discovery and envisioning session from a qualified Microsoft Partner, or perhaps Microsoft FastTrack to help guide you on your options. I understand at this point you are just trying to understand the features and functionality to understand if the solution is a fit and can meet your needs.

 

For documentation, I recommend you review the Intune documentation here:

https://docs.microsoft.com/en-us/intune/

 

Many Thanks that link was very helpful and as you said am looking in a discovery stage as we move into a cloud first - mobile first world

Thanks once again - its all new to me and looking like I will no budjet to bring in Microsoft or a consultant . So all down to me to put together a plan to put in Intune and SCCM to replace the senario

 

Also comparing it with Airwatch

1 best response

Accepted Solutions
best response confirmed by ED Jones (Copper Contributor)
Solution

800 desktops 

400 laptops

100 thin clients 

Default mail app on all mail devices currently

Airwatch in a DSaaS environment 

Windows Imaging Services and PDQ Deploy

Data Loss Prevention technology is not currently deployed

 


This is a rather large question you are asking, which is why I would imagine there have been lots of views of your question, with no replies. It's going to take a bit to unpack this, so hang with me for a long response.

The modern recipe is to use Intune to manage the desktops and laptops. For your size of organization, you may be a bit small for an SCCM deployment. It's a debatable point, but in general, if you can avoid SCCM, then you'll have less overhead and you may be able to manage with Intune only. For example, Intune can manage Windows 10 as a device, just like managing an iOS or Android device. Intune can push software to Windows 10, but there are limitations to consider. For example, if you need to install an .MSI file under the system/device context, you can only do that with SCCM, that is not yet supported with Intune. But if you can get away with installing an .MSI file under the user context, then Intune's software deployment capabilities may suit you fine. You'll want to review the documentation of Intune (link provided below) to get a fuller appreciation and understanding of its strengths and limitations.

SCCM may come into play for operating system deployment, but that too is going in the direction of AutoPilot with auto-enrollment into Intune.

If you are going the path of Microsoft, we would encourage you to re-think using the default mail app, and plan to standardize the Microsoft Outlook App for iOS and Android. That way, you can enforce Intune's Mobile Application Management policies, which are in effect a form of data loss prevention on the device, as it prevents users from copying and pasting data from business apps into personal apps, and blocks the Save-As from a business app into a personal storage app. (MAM has at least 15 features designed to protect business apps). Whereas, if you keep using the native mail client on these devices, you're limited on what you can do, and also limited on multi-factor authentication, which is natively supported in the Microsoft Outlook App for iOS and Android.

SCCM may be a better fit for managing the underlying server infrastructure that is powering your Thin clients - as I assume those are connecting to Citrix or Microsoft Remote Desktop Farms. In that case, Intune wasn't designed for that management stack, so you would be suited for SCCM there.

 

The Microsoft story for DLP is something you would enable in your Office 365 tenant, and if necessary, deploy the Azure Information Protection with P2 license functionality to automatically detect sensitive information that is created locally but not yet uploaded into Office 365. Think about O365 DLP as being effective as soon as users upload content into SharePoint, OneDrive, Teams, or send emails in Exchange Online. Think about AIP as a solution that fills the gap when a user creates local content and stores it on a USB drive or uploads it to an unsanctioned Google Drive/Drop Box site. AIP with auto-classification will scan for sensitive information and encrypt it. Or you can configure it to classify everything at the top-secret level and require users to de-classify content (this might make sense for research and development departments, where they are handling sensitive intellectual property).

It sounds like you would benefit from a discovery and envisioning session from a qualified Microsoft Partner, or perhaps Microsoft FastTrack to help guide you on your options. I understand at this point you are just trying to understand the features and functionality to understand if the solution is a fit and can meet your needs.

 

For documentation, I recommend you review the Intune documentation here:

https://docs.microsoft.com/en-us/intune/

 

View solution in original post