Cleverly named, Microsoft Intune (also known as Microsoft Endpoint Manager) is a platform that is connected to Microsoft Azure, and allows a number of incredible useful features for machines connected to Azure Active Directory. For more information on Azure Active Directory please see our Azure Active Directory – Your Questions Answered post.
What are the key benefits of Intune?
Microsoft Intune is part of the Office 365 family (although it did previously exist on-premise) and focuses on MDM (Mobile Device Management) and MAM (Mobile Application Management) for your organisation from a Microsoft 365 standpoint. As the name suggests, MDM is the management of devices and MAM is the management of applications of mobile devices, however this is not limited to laptops and mobiles, as it can also be used on desktops joined to Azure.
Some of the key benefits to Microsoft Intune are as follows:
- Corporate devices can be completely wiped via the Intune portal, removing all applications and data, including Windows, Android and Ios.
- Corporate data can be wiped from employees personal devices via the Intune portal, again including Windows, Android and Ios.
- Application Protection Policies can be added to prevent SharePoint and One Drive data leaving the environment.
- The same Application Protection Policies can be used to lock data to corporate applications, preventing copy and paste to non corporate applications.
- Policies can be added for pin numbers to be applied before entering applications, to protect data from being seen by people outside the company.
- Autopilot procedures can be developed to self install applications, data and policies during the OOBE screen.
- Software can be deployed remotely via packages. For example, a new software package can be deployed to many machines in a fraction of the time it would take to visit machines individually.
- All Azure\Intune joined machines will report to Office 365 as an asset list, useful for insurance purposes.
- Machines report their compliance, for example Windows 10 version, security updates and more.
- Policies can be added as to when to deploy the latest Windows 10 features to machines, which can be split into groups.
- Local drives can be Bitlocker encrypted automatically, and decryption keys stored in Intune for safe keeping.
- Windows policies can be added to control any Windows setting remotely, to individual or grouped machines.
The key difference between corporate owned, and self owned devices (BYOD)
When we talk about corporate owned devices, these are typically joined to Azure or in a mobile instance have an application installed on it that can have full access to the root for the device for wiping, and a MDM policy is assigned to them.
When we talk about an employees personal device that they are using for work (Bring Your Own Device – BYOD) then the same application applies, but a MAM policy applies. In the MAM instance, a separate section of the device is mapped out as “Work”, and depending on the setup, the employee can install the same applications again that they use personally, but these are controlled by the MAM policy and application, which is able to wipe the corporate data. For example, if an employee uses Outlook for their personal email, in order to connect to their work email, Outlook will need to be installed again.
How does Intune control corporate data on BYOD devices?
At the time of writing, a “Company Portal” application needs to be installed on a device that has an Intune policy assigned to it. Without the application installed, there is no way to gain access to the applications data. Upon installing the Company Portal application, you are then able to connect to the Office 365 data. It is this app that has the ability to delete corporate applications and data from the device.
My team members are concerned about Intune having access to their private information.
Upon installing the Company Portal application, a disclaimer is presented showing what is and isn’t accessible via Intune.
Intune is a great addition to your IT system and data control, much of which is required on insurance forms, and especially when dealing with cyber-insurance.
If you have any questions or would like us to help with the security of your Office 365 tenant, please get in touch today.