Microsoft Endpoint Manager (MEM) is Microsoft’s cloud-based device management platform, which Nerdio Manager for MSP launched integrations with in February 2022. Within this, Microsoft Intune provides granular control of your physical and virtual desktops and laptops. Intune can manage mobile (iOS / Android) devices as well as Windows and Mac OS.
Historically, organizations have managed their end-user devices with a variety of products, most commonly Microsoft System Center Configuration Manager. These products work well when managing devices attached to internal networks, but managing external devices can be complex and challenging given today’s work landscape. A significant proportion of employees are working in a hybrid manner, moving devices between the office and the home, therefore a new device management solution is needed which better fits these requirements.
Intune is different from traditional solutions; the product was designed as a web-based device management solution. Moreover, it can manage the device enrollment lifecycle. By taking advantage of Intune’s “Windows Autopilot” feature, which you can learn more about here, end-users can have brand new devices delivered to their home from the manufacturer or reseller. These devices will then auto-provision themselves out of the box, deploying the settings and applications required for the user. There are many steps to achieving such an outcome, but the key point is – it’s possible!
Autopilot is just one aspect of Intune. The service covers the full range of device management requirements. Let’s examine some of the key benefits.
Policy and Security
Compliance policies allow you to control which devices are allowed to access services based on their compliance. This allows devices to be checked and either barred from using corporate services or flagged within the console until they meet the specific requirements, such as having antivirus enabled. These policies are fully configurable.
Configuration profiles are analogous to group policies, and you can even import existing group policy objects into your configuration profiles in order to manage device configuration settings.
Intune also allows the creation of various security policies and features, including DLP policies. Enrolled devices can also be rebuilt, blocked or wiped at the discretion of an administrator.
Intune can be used to manage application deployment to your devices, including Win32, MSI and Windows Store applications. The corporate iOS App Store and Google Play stores can also be linked, allowing application management for mobile devices.
Patching and Updates
Windows quality and feature updates can be managed from the console, and the status of devices can be recorded in a log analytics workspace for reporting purposes.
Mobile Device Management (MDM) vs Mobile Application Management (MAM)
MDM is generally used to manage corporate devices, where all aspects of the devices should be managed and controlled by the organization. MAM is generally used for lighter touch management on personal devices, where you need to control specific corporate applications or data, but you do not want to compromise the sovereignty of the user’s personal device.
Where to Start?
It’s important to recognize that a move to Intune-based device management does not require a “big bang” or “all in” approach. We recommend that you identify a small subset of devices – maybe 5-10 – for initial testing. Defining your management objectives and device types prior to piloting the service is beneficial. There are five key questions you should ask before starting out, and Microsoft has plenty of guides (linked below) to help:
- What device types will we manage?
- Will the devices we manage be Corporate, Personal or both?
- Can we define an initial set of user types and requirements (personas)?
- What groups (device and user) need to be created to give the correct level of management
- What elements of device management do I need to focus on initially?
- Application Delivery
- Patching & updates
- Device restrictions or policies
- AutoPilot Deployment
- Security & DLP