What Is Microsoft Intune?

Manage corporate-owned and personal devices while balancing security requirements with employee productivity.

Dean Ellerby profile picture
Dean Ellerby Petri Contributor

Follow

Dean is a Microsoft Security MVP, Microsoft Certified Trainer, and co-organizer at the Workplace Ninjas UK.

TWiIT episode 97 - Microsoft Intune Suite

At its core, Microsoft Intune is a Mobile Device Management (MDM) and Mobile Application Management (MAM) solution. It enables organizations to manage both corporate-owned and personal devices (Bring Your Own Device, or BYOD) in a way that balances security requirements with employee productivity.

Intune integrates deeply with the Microsoft ecosystem, including Microsoft Entra ID (formerly Azure Active Directory), Microsoft 365, and Windows Autopilot. It’s designed to help organizations protect sensitive information by controlling who can access data, what devices can be used, and how resources are accessed.

Key features of Microsoft Intune

Key features of Intune include:

  • centralized device management
  • robust application control
  • and seamless integration with existing IT infrastructures.

Intune allows organizations to enforce security policies, deploy software updates, and manage settings across various devices from a single console. This ensures consistency, compliance, and streamlined IT operations.

What is Microsoft Intune
What is Microsoft Intune (Image credit: Microsoft)

Device management

Microsoft Intune enables IT teams to manage devices across all major platforms, including Windows, macOS, iOS, iPadOS, Android, and Linux. This cross-platform compatibility ensures that organizations can maintain consistent management and security policies regardless of the devices their workforce uses, and is often referred to as ‘single pane of glass’ for remote device management.

Microsoft Intune - supported device platforms
Microsoft Intune – supported device platforms (Image credit: Dean Ellerby/Petri)

Administrators can use Intune to configure device settings to align with organizational requirements, such as setting up Wi-Fi configurations, deploying certificates, or enforcing password policies. Intune also simplifies software management by enabling IT admins to deploy updates, distribute apps, and monitor patch compliance from a centralized console. This ensures devices are running the latest versions of operating systems and applications, reducing vulnerabilities and enhancing user productivity.

In addition to configuration and updates, Intune plays a critical role in enforcing compliance policies.

Before granting access to corporate resources, Intune evaluates each device against the organization’s security standards. This includes checks for encryption, antivirus status, and baseline configurations.

Devices that fail to meet compliance requirements can be blocked or restricted until issues are resolved, protecting sensitive corporate data and minimizing risks from non-compliant or potentially compromised devices.

Application management

Microsoft Intune’s application management capability allows organizations to oversee and control apps on managed devices. It enables IT teams to ensure apps are properly configured and kept up-to-date

Through Intune, administrators can deploy apps to devices directly from sources like the Microsoft StoreApple App Store, or Google Play, as well as distribute custom line-of-business (LOB) applications.

This centralized deployment ensures employees have access to the tools they need without requiring manual installation, reducing downtime, user errors, and the need for local administrator permissions. 

Intune application management
Intune application management (Image credit: Dean Ellerby/Petri)

Conditional Access

By integrating with Microsoft Entra ID, Intune can report Device Compliance information to allow this attribute to be used within Conditional Access policies. With this info, Conditional Access policies can ensure that only compliant devices or verified users can access corporate resources, reducing the risk of security breaches.

Microsoft Entra Conditional Access
Microsoft Entra Conditional Access (Image credit: Dean Ellerby/Petri)

Endpoint security

Microsoft Intune provides robust endpoint security configurations, enabling organizations to protect devices against a wide range of threats while maintaining compliance with organizational policies. 

A central capability of Intune’s security management is its integration with Microsoft Defender Antivirus for Windows. Administrators can configure and enforce antivirus policies, such as enabling real-time protection, setting scan schedules, and defining exclusion rules for specific files or processes. 

Intune also integrates seamlessly with Microsoft Defender for Endpoint (MDE), Microsoft’s endpoint detection and response (EDR) solution. This integration allows for advanced threat detection and mitigation on Windows devices, providing organizations with detailed insights into potential risks.

Intune can enforce MDE onboarding policies, ensuring devices are enrolled in the EDR service and monitored for vulnerabilities, anomalous behavior, or active threats. 

Microsoft Intune endpoint security
Microsoft Intune endpoint security (Image credit: Dean Ellerby/Petri)

Additionally, Intune supports data-at-rest encryption to protect sensitive information on devices. This includes configuring and enforcing BitLocker encryption for Windows devices and FileVault for macOS devices, ensuring that lost or stolen devices cannot expose corporate data. 

App Protection Policies

Microsoft Intune simplifies the management of personal devices (and corporate devices) by separating personal and work data through App Protection Policies (APP). Employees can access work apps and resources securely without compromising their privacy.

App Protection Policies in Intune provide a more privacy-conscious and user-friendly solution for managing personal devices compared to traditional Mobile Device Management (MDM).

Unlike MDM, which requires full device enrollment and grants IT control over the entire device, APP focuses solely on securing corporate data within approved applications like Outlook or Teams. This addresses common privacy concerns in BYOD environments.

App Protection Policies in Microsoft Intune
App Protection Policies in Microsoft Intune (Image credit: Dean Ellerby/Petri)

With APP, organizations can selectively wipe only corporate data if an employee leaves or loses access, leaving personal content untouched. In contrast, MDM often enforces full-device wipes, which can disrupt personal use. APP also offers granular controls, such as app-specific PINs and restricted copy-paste functionality, ensuring robust protection without overreaching into personal data.

For organizations allowing personally-owned devices to be used for work-related tasks, APP strikes a balance between security and user privacy, fostering trust while maintaining control over sensitive information.

Zero-touch deployment

One of Intune’s most well known features is its support zero-touch device provisioning for Windows, Android, iOS and iPadOS, and macOS. Through close integration with vendor platforms like Windows Autopilot, Apple Business Manager, and Android Enterprise, Intune helps admins eliminate the traditional complexities of provisioning devices.

These integrations ensure that devices can be pre-configured with the necessary settings, policies, and apps, delivering a ready-to-use experience without manual intervention.

Windows Autopilot
Windows Autopilot (Image credit: Dean Ellerby/Petri)

With zero-touch deployment, new devices can be shipped directly to employees or end users, without the need for IT Admins to log-in (or even see them!) ahead of shipping.

As soon as a user powers on the device and logs in with their credentials, the system automatically applies organization-specific configurations. This includes installing business-critical applications, applying security policies, and configuring settings like Wi-Fi and email. This process not only reduces setup times but also minimizes the chance of errors or inconsistencies that often occur with manual configurations.

How does Microsoft Intune work?

The Microsoft Intune admin center is a unified interface for managing devices and apps, across the various platforms it supports. To explain how it works, there are 3 core areas that we’ll look at:

  1. Device Enrollment
  2. Policy Configuration
  3. Reporting.

1. Device enrollment

The first step in managing devices with Intune is enrollment, where devices are connected to the Intune service for management. Intune supports various enrollment methods tailored to the device type and ownership model:

  • Windows Autopilot enables zero-touch provisioning for Windows devices, delivering a ready-to-use experience with minimal IT intervention.
  • Apple Device Enrollment integrates with Apple Business Manager, simplifying the process of enrolling iOS, iPadOS, and macOS devices while ensuring they are configured with the required policies.
  • Manual Enrollment is available for scenarios where automated methods aren’t feasible, allowing users to manually register their devices through the Intune Company Portal.

Once enrolled, IT administrators can apply policies, deploy apps, and enforce security requirements. 

It’s important to note that a device can only be managed by, or enrolled into, one Mobile Device Management platform at a time. Changing MDM typically (but not always) requires a device to be fully reset. 

2. Policy configuration

After devices are enrolled, administrators use Intune to define and deploy policies that govern device behavior, app availability, and security settings. Policies can include:

  • Compliance Policies: Ensure devices meet organizational security requirements, such as enforcing encryption, requiring strong passwords, or mandating antivirus protection.
  • Configuration Profiles: Automate device setup by defining settings like Wi-Fi configurations, VPN access, and restrictions.
  • App Deployment Policies: Allow administrators to push business-critical applications to users or devices, ensuring the right tools are available to the workforce.

3. Monitoring and reporting

Intune now includes an improved set of monitoring and reporting capabilities, offering IT teams detailed insights into the health and compliance of managed devices. Administrators can view dashboards and reports that provide data on device compliance, app usage, and vulnerabilities.

Getting started with Microsoft Intune

To begin using Microsoft Intune, organizations need appropriate licensing, such as Microsoft 365 E3, E5, or Intune-specific plans. Once licensed, IT administrators can configure Intune in the Microsoft Intune admin center, set up enrollment methods, and define management policies.

All users who enroll devices must have an appropriate license, or enrollment will simply fail to complete. 

In conclusion, Microsoft Intune is a powerful tool for modern device and application management. Its ability to secure corporate resources, streamline IT operations, and enhance user experiences makes it an essential solution for organizations navigating today’s dynamic work environments.