Microsoft EMS Components: Microsoft Intune
This article is the third in the series “What is Microsoft Mobility Suite?” All enterprises should take advantage of mobility. But what does this mean? How can a company take control of the myriad of devices that are available out there? Even if there were just a few company sanctioned devices and the company were to continually evaluate what the next device should be for deployment, there would always be an exception here and there. There will always be executives that want “their” device to be allowed and not necessarily the one that is company provided. So, what should you do?
What is Mobility?
Companies define mobility as a set of strategies and policies that define and govern the information in transit or rest but in devices controlled by the company itself. This is easier said than done when companies choose to allow most mobile devices and the workstations being used are in the form of laptops. So, when one talks about mobility, the ageing reference to a smartphone no longer applies. These days, mobility means all devices that can physically leave the premises and thus need to be secured, controlled and compliant.
Microsoft Intune is one of Microsoft’s cloud software as a service offering and provides a single application that includes a set of tools for device management, mobile application management and PC management. Microsoft Intune offers these capabilities without imposing requirements on the hardware and infrastructure side.
In this day and age of blurred personal and work-related computing lines, everyone expects to have connectivity to their work environment from the devices they love to use the most and frankly employers want to encourage that connectivity because they know it empowers employees by providing them with the flexibility and productivity they want.
Mobile Device Management
With Microsoft Enterprise Mobility Suite, which includes Microsoft Intune, enterprises can reduce the complexities presented by the multiple platforms that need to be supported by corporate BYOD policies. Microsoft Intune provides the framework for supporting both personal and corporate-owned devices from most mobile platforms, such as Windows, Android, iOS and Windows Phone.
Company and compliance policies can be enforced from a single management tool to all supported client platforms. Microsoft Intune provides an enrollment and installation of corporate applications through a self-services Company Portal. Non-compliant devices, or devices that do not meet the minimum number of security features or whose users do not accept company policies can be denied access or given reduced access to resources or services.
If the company has a large-scale deployment, then the enterprise can enroll through an Intune Service account or by using Apple Configurator to reduce the workload.
Microsoft Intune also lets admins enforce features on enrolled devices, such as device lock, password reset, data encryption, and partial, selective wipe or even full wipe. All these features are aimed at protecting the corporate data being stored on the device itself for cases where it is lost or stolen.
Mobile Application Management
Microsoft Office Mobile is already integrated with Microsoft Intune and certain actions that would represent a data leak vector are already covered. Functions such as copy, cut and paste, save as, and other common methods that would expose corporate data to other apps in mobile devices are allowed to function as long as they are within the boundaries of the corporate set of apps. Attempts to save as or paste from the corporate apps into non-sanctioned apps is prevented through the use of App Wrapping tools. These features are in place with the intention of preventing data leakage, but they do not limit the functionality of the mobile devices themselves so that a personal app can still exchange data, copy and paste with others, just not from corporate data to non-corporate apps.
In the case of tighter compliance requirements, Microsoft Intune also allows for preventing mobile devices from installing certain apps, accessing certain URLs, pushing specific apps into the devices being managed, or even selectively delete the installation of specific apps that may already be installed.
The features that we have seen as part of Microsoft Intune wouldn’t be complete if it weren’t for the support of those same features for PCs. This level of integration of multiple platforms is available in some of the competing software. However, it is not as comprehensive or as functional as it is when Microsoft Intune is integrated with System Center Configuration Manager. This integration of tools not only allows for management but also for protecting against malware and tightening of settings in the Windows Firewall.
Microsoft Intune allows for easy management of BYOD policies, integrates with the Office apps for protecting corporate data from leaking out, requires no infrastructure to run as it is a cloud service, is available with 24/7 support, and best of all it integrates with your Active Directory or Azure Active Directory as part of Microsoft Enterprise Mobility Suite. This is overall your best play for managing mobile devices.