Mobile Device Management (MDM) has existed since the days of Blackberry and the first truly smart enterprise-grade mobile devices. Over the last decade, this tech has matured and expanded to manage iOS, Android, and now Windows 10 and macOS.  Thus MDM has been redefined as ‘Modern Device Management’ with Microsoft’s Intune now the clear category leader.  It is achieving widespread global adoption as part of Microsoft 365’s success, with 35% global MDM market adoption expected in 2021 and over 50% in 2022.

Figure 1 – Intune Adoption as percentage of market. Brad Anderson, CVP Microsoft

In this article, we will explain how Modern Device Management on Windows devices is fundamentally different to traditional device management, yet similar to traditional mobile device management on iOS and Android.  We will also cover the “So What?” and discuss the newer technology capabilities available to you.

Microsoft Intune vs Traditional Windows Management

The big difference between Microsoft Intune and traditional management is the concept of profile-based management.

This is a break from image-based management, which has been the norm in Windows all the way back to Windows NT. In fact, Configuration Manager, or SCCM as it used to be called, was designed and released in 1994!

What makes Microsoft Intune different?

• Profiles vs Imaging A profile is a cluster of configuration settings that are applied to a device based on group membership. Think Group Policy Objects (GPOs). This allows profiles to be built modularly with multiple profiles assigned to a single person depending on their job function and app use needs. Images tend to be based on a single golden image that is standardised across the organisation, requiring manual effort to install applications that may be required for specific job functions.  Device imaging and image maintenance mean more work for IT with no real value added.
• Reversible vs Direct Write Configuration Profiles get applied over the top of the base state of the device and can be reversed without affecting the device itself. With imaging, the hard drive itself is overwritten – this cannot be reversed without re-imaging. Further, GPO changes directly overwrite the registry. With profile-based management changes can be reversed at the push of a button, remotely.
• Over-the-Air Updates With Intune, companies can leverage Windows Update for Business. The technology uses a concept called deployment rings; these rings are applied based on profile settings. The device then updates when its selected ring is reached during a deployment cycle. IT no longer needs to worry about patch management for Windows devices.
• Remote Configuration Devices enrolled in Intune do not need to be domain joined. Profiles will be downloaded to the device when a user logs in with their company email. Profiles, apps, and any other configurations will be applied over the air from anywhere on the planet. Devices no longer need to be touched by IT.
  
• Remote Wipe Microsoft Intune provides the ability to remote wipe all enrolled devices. Whether you need to wipe a smartphone, tablet, desktop or laptop with Intune you can send a remote wipe command to the device from anywhere on the planet.

All these are capabilities that have been available on iOS and Android devices for some time using traditional MDMs.  What this means now is that you can manage Windows 10 devices like a smartphone.

So What?

Intune brings all the advantages of mobile device management to desktops and laptops. You can unify your device management entirely under one technology and manage your entire fleet – including BYO devices – from a single pane of glass, all integrated in your Microsoft stack.

Here’s some business changing benefits you can expect once you switch to Microsoft Intune for all your devices.

Lower Device Management and Licensing Costs

91% of companies lowered their device management costs after switching to Intune according to Brad Anderson at Microsoft Ignite, 2020. Additionally, survey respondents stated they saw an 18% decrease in device management admin time after switching to Intune.

Intune makes device management less expensive and frees your IT resources to work on innovation instead of keeping the lights on.

Also, if you currently have an MDM provider, know that Microsoft Intune is included in the Microsoft 365 license. So, you can save licensing costs by sunsetting your existing MDM solution and switching to Microsoft Intune for all devices.

As a reminder, Intune supports iOS, iPadOS, macOS, Android, and Windows.

Faster Onboarding and Device Replacement

Using Microsoft Intune allows you to leverage Zero Touch Provisioning. Zero Touch Provisioning is a solution that integrates systems like Windows Autopilot, Apple Business Manager (or Apple School Manager for educators), Android Enterprise, and Knox Mobile Enrollment (for Samsung devices).

The business outcome is, when you procure a new device you can ship the device directly to the user it and it automatically gets enrolled into Intune.  IT are no longer the bottleneck.  You can cut your onboarding from weeks to two days.

Further, rapid replacement becomes available as wipe commands can be sent remotely and users can configure a new device over the air, usually in under 30 minutes.

Figure 2 – Illustration of Zero Touch Provisioning vs Legacy Device Provisioning

Better Security for Modern Work

Microsoft Intune uses deployment rings to update Windows machines. Along with profile-based configurations for Apple and Android, you can now set a configuration for Operating System updates on Windows machines, then have confidence they will remain patched and current. You’ll also get visibility of non-compliant devices.

Combining Intune with Azure Conditional Access lets you set up risk-based authentication and a zero-trust environment for your company.

But you can do more than secure corporate devices. You can secure BYO devices through Microsoft Intune by leveraging Mobile Application Management (MAM) policies, user enrolment & work profile, and Windows Information Protection. This means you can protect data on your employees’ devices – often without requiring them to give up control of their own device.

Remote Work Friendly Device Management

Microsoft Intune is a cloud-first technology and moves your company to a ‘post-domain’ world. Intune provides you visibility of your devices from anywhere, allows you to manage your devices from anywhere, and provides many remote support capabilities not previously possible.

Let’s face it, 2020 has changed employer and employee expectations on remote work.  Microsoft Intune is a cornerstone for the digital transformation necessary in IT today. Your PCs are not going to be staying within your private domain any longer, and you need device management technology designed for remote work.

Management of ARM-64 Devices

There is a new chip architecture storming the laptop category: ARM-64. Apple has launched their ARM-64 chip and Microsoft has their own ARM Surface laptop.

ARM-64 devices cannot be managed by traditional management tools. ARM-64 computers will not run x64 compiled software. Meaning you’d need a separate image just for these devices. So, to take advantage of new ARM computer benefits you will need to embrace an MDM like Microsoft Intune to ensure efficient management.

Microsoft Intune in 2021 – The Latest and Greatest

If you looked at Microsoft Intune several years ago, you may have passed it up.  Microsoft has been busy building new features into Intune and it has become the industry leader. Here’s some of the latest and greatest.

Figure 3 – Microsoft Intune Update Notes, 2020

Zero Touch Provisioning

Microsoft Intune now integrates with Windows Autopilot to allow Windows device manufacturers to add purchased devices to your tenant at the point of purchase. This means you can ship devices directly to users, and it means if the device is stolen it will still ‘call home,’ even if the device if reformatted.  This makes lost devices unusable and keeps them more secure.

You’ll know when each new device was added to your tenant, so inventory tracking is a breeze. If you currently manage inventory via a spreadsheet, this will be a huge time saver.

User Enrollment & Work Profile – BYOD Management That Respects Privacy

For iOS and Android devices, there is a new BYO device management option that sets up a logical partition in personal devices.  This separates work apps and data from personal apps and data. Employees retain control of their device and their own apps, while you get visibility and control only of work apps and data.

Intune can take advantage of these two technologies. For companies that want to encourage BYO and be able to provide curated apps and capabilities, this is a great feature.

Figure 4 – Android Work Profile example. Work apps are separated into their own logical partition. Your company manages only the work apps and data with no control or visibility of personal apps and data.

Mobile Application Management (MAM) – Light Touch Security

For an even lighter touch, use MAM to secure data in Office 365 apps on mobile devices without requiring enrolment. Your company secures company data with Office 365 apps only without any overhead or perceived privacy invasion. The technology even separates company data from personal data within the same application.

For information, check out a detailed report on Mobile Application Management.

Intune is a Core Part of the Microsoft 365 Cloud-First Ecosystem

The biggest strength of Microsoft Intune is that it is fully integrated with the Microsoft Security suite of technology, known as Enterprise Mobility and Security (EM+S).

This means you can reduce vendor sprawl and achieve tighter cohesion through the many layers of security in the Microsoft EM+S license, which is included in Microsoft 365.

Figure 5 – Microsoft Azure and EM+S = Layered Security

How to Get Started?

To get your company started with modern device management, consider contacting Mobile Mentor. Check out their services for Microsoft Intune including Intune Security Baseline, Zero Touch Provisioning, Intune for Windows, or their Configuration Manager t Intune Migration Workshop.

CONTACT MOBILE MENTOR