Intune is not a new product. But Intune features have significantly expanded over its lifetime which has led to it becoming an important tool for user and device management. Many organizations face challenges in understanding how Intune fits into their existing infrastructure. In this article, we take a historical look at endpoint management and identify Intune’s role in enabling modern, cloud-based user and endpoint management.
Traditional Endpoint Management
Windows Active Directory Domain Service (AD DS) is over 20 years old and has served organizations well. However, a lot has changed since its debut in Windows Server 2000. At the core are the authentication protocols. Windows AD uses NTLM and Kerberos to authenticate users and devices. NTLM was first introduced with Windows NT and Kerberos was first used in Server 2000 to support AD DS. Both protocols have a long history with Windows AD.
Kerberos and NTLM were updated along the way but were created to address scenarios of a legacy IT landscape. These protocols were designed for environments with a well-defined private network and firewalls protecting access to, and from the internet. Clients outside of the private network require a VPN to access resources in the network. Windows AD also depends on Windows clients, leaving limited options for Mac and mobile devices.
Most organizations that use AD DS also leverage Group Policy Objects (GPOs) to manage endpoints. GPOs are a set of policies that apply to systems or users during login and logoff. GPOs are used for many tasks, including modifying application settings, running scripts at login and logoff, and configuring security settings. They are an important part of user and device management in a Windows AD domain.
Microsoft, as well as third party independent software vendors, created products dependent on AD DS for user management and authentication. One significant product for endpoint management is System Center Configuration Manager, also known as SCCM or Configuration Manager. This product enables deploying the client OS, applications, and configuration settings. Additional features included hardware inventory, software metering, and OS updates.
Configuration Manager and GPO provide user and endpoint management functionality critical to the successful management of an organization. Many organizations use these products today. However, they both depend on AD DS and legacy authentication protocols.
Microsoft Intune: The Future of Endpoint Management
Security is front and center in modern IT, and the traditional, well-defined private network presents challenges as users become increasingly mobile. End users expect to work from any location with an internet connection and from various device types. Windows AD, GPOs, and Configuration Manager were not designed for these challenges.
To meet these demands, there is a shift to a modern security strategy for authentication called Zero Trust. Microsoft’s implementation of Zero Trust is built on the following principles:
- Verify explicitly – Always authentication and authorization based on multiple data points, including identity, location, device health, service access data classification, and anomalies.
- Use least-privilege access – limit elevated and administrative access to only what the user needs to access, and only for the time they need to access it. This is also called just-in-time and just-enough access (JIT/JEA).
- Assume breach – Minimize blast radius with segmented access and use end-to-end encryption. Implement analytics for visibility, reporting, and threat detection before a breach.
Zero Trust leverages multi-factor authentication (MFA) and other techniques to provide secure access to resources over the public internet. Entra ID (previously Azure AD) supports the Zero Trust framework with modern authentication protocols such as OpenID Connect, SAML, and OAuth 2.0. These protocols allow users to security access resources over the public internet, removing the dependency on a secure perimeter network.
Many organizations have moved away from AD DS to Entra ID for authentication, while others are planning to do so in the near future. This move has significant advantages and security benefits but leaves a gap for user and endpoint management. Entra ID does not support GPOs, and Configuration Manager requires AD DS. There is a need for organizations to move to modern user and endpoint management solutions that don’t depend on legacy technology.
Intune for User and Device Management
Companies that utilize Entra ID turn to Intune to fill that gap left behind when AD DS is removed. Intune is a family of cloud-native SaaS services that provides user and endpoint management.
Intune supports functionality once provided by GPOs and Configuration Manager. Application management provides app deployment, updates, and removal. It also provides endpoint analytics to audit and report on device configuration. Compliance policies verify the endpoints accessing company resources are healthy and the device state can be used in MFA conditional access policies. Configuration Profiles simplify management by deploying applications and GPO-style settings across groups of devices.
In addition, Intune supports users on multiple endpoints, including Android, iOS, macOS, and Windows on mobile devices and PCs. Multi-OS support allows end users to work across various platforms while maintaining a high level of security.
Can I Use Intune for Hybrid Environments?
Hybrid environments, those with Windows AD and Entra ID, can continue to use GPOs and Configuration Manager while taking advantage of the benefits of Intune. Intune offers a co-management option for hybrid scenarios with Configuration Manager.
Hybrid offers a path to cloud-only management with little disruption to the end users. An organization can keep existing legacy user and endpoint management in place while taking a staged approach to move to Intune for user and endpoint management. Windows AD has been central to user and device management over the life of the service. It is not uncommon for outdated policies and settings that were once important to still exist in an environment. Migrating to a cloud-only environment with Entra ID and Intune provides a path to review and update policies.
IT changes rapidly. Active Directory Domain Services has experienced exceptional longevity, providing directory services for over 20 years. However, the changing IT landscape calls for an updated directory and authentication service that addresses security concerns for a modern workforce.
Entra ID, with support for modern services and authentication protocols, is a widely adopted alternative to AD DS. Entra ID does not support the same set of services and applications as AD DS. Intune is the modern user and endpoint tool to fill these management gaps. Nerdio simplifies the management of users and endpoints with Intune integration, Unified Application Management, and Unified Endpoint Management. We’d love to tell you more!