SOLVED

Looking at Intune subscriptions and its related features

Copper Contributor

Hey guys, I need help for subscription for my company.

Please kindly advice me which is the baseline plans I can subscribe in order to fulfill the features I am looking at.

 

Intune alone for now, I believed is referred as Enterprise Mobility + Security (EMS) ?

 

I am looking at what should be MAM features:

- Restricted copy and paste of information from controlled apps

- Remote wipe of controlled apps' information (not wiping whole phone)

- At least 3 admin accounts + X numbers of users (Are there different accounts/subscriptions for admins?)

- Able to manage devices by groups (ie: Sales / Operators / Admins / Managements etc)

 

With the above requirements, will Enterprise Mobility + Security E3 plan be enough?

Also , are there any minimum requirements for on premise Exchange to support intune?

 

I am having only very general idea of intune products, my question might be down to very basic stuffs.

Appreciate for any help as much as possible!

18 Replies
EMS E3 is a good overal Intune package, but.. Do you already have certain 365 subscriptions? If you already have Office365 E3 for example, adding EMS E3 to it is good but for not that much more money you could also take Microsoft 365 E3 with has those two combined and more. You could use https://m365maps.com for easy comparison.

You can manage devices with groups by adding Group Tags to the Autopilot devices for example. On premise Exchange has no relation to Intune, you can use Intune to configure Outlook settings for that but there's no real requirement. There are no different subscriptions for admins, but Intune admins do require a Intune license.

But what is your main goal, manage existing and new devices? Do the devices need to be joined to your Active Directory or not? (The difference between Hybrid Join and normal Azure AD/Intune)

@Harm_VeenstraHey, thanks for slowing directing me to the right path.

 

Firstly I am not looking at Office 365 subscriptions as we already using on-prem solutions (AD and Exchange). Its good to hear that intune has no requirements with on-prem exchange versions.

 

I am looking to manage mainly personal mobile devices, both existing and new (new hires). Currently we don't register them to AD, we only simply allow the devices into the network by static IPs. I don't think our AD is accessible from the internet either as it is on prem and not configured to do so. This mean using intune standalone will be the best solution for us?

 

 

Intune standalone (Just the Intune license) could be enough for your mobile devices, but for Conditional Access for example you do need Azure AD Premium P1 licenses. When using Intune and deploying mobile devices, the devices do get Azure AD registered and MDM managed by that, Azure AD Connect and syncing your users will be needed to assign licenses to the users.
So sorry, I think I am getting a bit confused here. Let's go back to the basic features I am looking at and hopefully I can catch your professional advise again moving along.

Its confirmed that the standalone EMS+ E3 covers:
- Restriction of copy and paste data from controlled apps on mobile devices
- Remote wipe of controlled apps' information (not wiping whole phone) - MDM
- Management of devices in group tags

All these can be done with manual management on the intune portal with the standalone EMS+ E3 plan away from any AD features? We have just a small pool of devices to manage, so I believe manual management is quite manageable for us.

Next set of questions will be (Still with EMS+ E3 plan alone in mind):
1. How would the assigning of devices licenses work? Manually assigning the license to devices or it will be auto assigned once device is registered?
2. Assuming all processes are manual, Am I able to restrict 1 user per registered device? Or users can abuse and register multiple devices (without AD connect)

Apologies and appreciate your kind patience to go through with me a bit slowly.

Thanks!



best response confirmed by Yeo-Zao (Copper Contributor)
Solution
It seems like you want a bit of MAM and MDM, it's best to completely manage the devices with MDM in my opinion. Are the devices BYOD or COD? Per licensed user you can have 15 devices registered. Licensing a user can be done manual or, if you have Azure AD Premium P1 and Azure AD Connect, by assinging Windows Active Directory Groups to that license. You can set the max amount of devices to one user if you want, that way you know that they can only use one device.

But without Azure AD Connect and syncing users, you will have users having a seperate account next to their Active Directory account with different passwords.. I wouldn't recommend it, running Azure AD Connect is free and will only cost you some server resources.

Thanks for the clear explanation. I'm starting to get a bigger picture. Those devices we are managing are BYOD.

 

Considering Azure AD connect as optional (I'm not sure if my senior IT would be comfortable opening up on-prem AD connections), I can basically subscribe to EMS + E3 to perform the required tasks mentioned.

 

I also undertsand the cons of manual user entries that will end up separate accounts for the users apart from their AD accounts.

 

For subscription sizing wise, I just need to subscribe the total amount of users accounts, doesn't matter how many administrators there are.

 

Then there are no on-prem requirements like server os versions, AD versions and exchange versions etc.

 

Hope I have a good rough summeries here? 

Sounds like it :ok_hand:But the admins should have a Intune license too for administration.

Yup I understood. Total subscription sizing = users + admins. Don't mind me asking few last questions here.

- I checked and notice the operation of iPhone and Android is slightly different. Android devices after registered, will create a "work" space of apps.
IPhone does not. All apps are together in homepage. So when wiping the phone, are we still able to just wipe company's data only for iPhone?

- other than deploying standard office apps to mobile devices, can we also deploy and control 3rd party apps from appstore/play store?
You can retire a device to wipe the company data only https://docs.microsoft.com/en-us/mem/intune/remote-actions/devices-wipe#retire. And yes, everything that you can see in Appstore or Play store can be deployed to the device. Controlling settings inside of those apps is limited to just the Microsoft Apps AFAIK

Hey thanks for the reply and apologies for the late response. This means can I still restrict copy and paste data from an intune deployed 3rd party app? 

Did you start on configuring things yet? If my answers were helpful, please mark it as solution to mark this as solved

Hey, apologies for replying late. We are still in discussion on the process. By the way, are we able to trial on the Enterprise Mobility + Security E3 plan?

I know that we can trial on the Enterprise Mobility + Security E5. But if possible, I will like to experience an apple to apple comparison on the trial and try to avoid any hiccups during the actual implementation. For example, in case after testing out Enterprise Mobility + Security E5 plan and started implementing Enterprise Mobility + Security E3 to my company and noticing there are features I was using in trial (E5) but not available during actual implementation (E3).
No worries, not sure if there is a trial version of E3.. You could use a few licenses for a month and then stop the subscription for testing?
Hey, appreciate your advice. Maybe I can propose this to my management.
Thanks, let us know and please mark my answer as solution to mark it as solved
Yes, Thank you for all the help!
Sorry but where can I find the option to mark as solution? I can't seems to find it. Thanks
1 best response

Accepted Solutions
best response confirmed by Yeo-Zao (Copper Contributor)
Solution
It seems like you want a bit of MAM and MDM, it's best to completely manage the devices with MDM in my opinion. Are the devices BYOD or COD? Per licensed user you can have 15 devices registered. Licensing a user can be done manual or, if you have Azure AD Premium P1 and Azure AD Connect, by assinging Windows Active Directory Groups to that license. You can set the max amount of devices to one user if you want, that way you know that they can only use one device.

But without Azure AD Connect and syncing users, you will have users having a seperate account next to their Active Directory account with different passwords.. I wouldn't recommend it, running Azure AD Connect is free and will only cost you some server resources.

View solution in original post