Cleverly named, Microsoft Intune (also known as Microsoft Endpoint Manager) is a platform that is connected to Microsoft Azure, and grants several incredibly useful features for machines connected to Azure Active Directory. For more information on Azure Active Directory please see our Azure Active Directory – Your Questions Answered blog post.
What are the key benefits of Intune?
Microsoft Intune is part of the Office 365 family (although it did previously exist as an on-premises product) and focuses on MDM (Mobile Device Management) and MAM (Mobile Application Management) for your organisation from a Microsoft 365 standpoint. As the name suggests, MDM is the management of mobile devices and MAM is the management of applications on mobile devices, however this is not limited to laptops and mobiles, as it can also be used on desktops joined to Azure.
Some of the key benefits to Microsoft Intune are as follows:
- Corporate devices can be completely wiped via the Intune portal, removing all applications and data, including Windows, Android, and iOS.
- Corporate data can be wiped from employees’ personal devices via the Intune portal, again including Windows, Android, and iOS.
- Application Protection Policies can be added to prevent SharePoint and OneDrive data leaving the environment.
- The same Application Protection Policies can be used to lock data to corporate applications, preventing the copying and pasting of data to non-corporate applications.
- Policies can be added whereby pin numbers will be required before entering applications, to protect sensitive data from being seen by people outside the company.
- Autopilot procedures can be developed to self-install applications, data, and policies during the OOBE (Out of Box Experience) screen.
- Software can be deployed remotely via packages. For example, a new software package can be deployed to many machines in a fraction of the time it would take to visit those machines individually.
- All Azure\Intune joined machines will report to Microsoft Office 365 as an asset list, useful for insurance purposes.
- Machines automatically report their compliance, for example Windows 10 version, security updates, and more.
- Policies can be governing when to deploy the latest Windows 10 features to machines on the network, which can be split into distinct groups.
- Local drives can be BitLocker encrypted automatically, and decryption keys stored in Intune for safe keeping.
- Windows policies can be added which control any number of Windows settings remotely, either on an individual machine or as a group.
The key difference between corporate owned, and self owned devices (BYOD)
When we talk about corporate owned devices, these are typically joined to Azure or in a mobile instance have an application installed on them that can have full access to the root directory (so it can be wiped remotely) and have an MDM policy assigned.
When we talk about an employee’s personal device that they are using for work (such as in Bring Your Own Device – BYOD environment) then the same application is needed, but a MAM policy is applied instead. In the MAM instance, a separate section of the device is partitioned as “Work”, and depending on the setup, the employee can install the same applications again that they use personally, but these versions are controlled by the MAM policy and application, which is able to wipe the corporate data. For example, if an employee uses Outlook for their personal email, to connect to their work email, Outlook will need to be installed again on the “Work” section of the phone.
How does Intune control corporate data on BYOD devices?
At the time of writing, a “Company Portal” application needs to be installed on a device that has an active Intune policy assigned to it. Without the application installed, there is no way to gain access to the application’s data. Upon installing the Company Portal application, you are then able to connect to the Microsoft Office 365 data. It is this app that is able to delete corporate applications and data from the device.
My team members are concerned about Intune having access to their private information
Upon installing the Company Portal application, a disclaimer is presented showing what is and is not accessible by Intune.
Intune is a great addition to your IT system and data control, much of which is required on insurance forms, and especially when dealing with cyber-insurance.
If you have any questions or would like us to help with the security of your Microsoft Office 365 applications and data, please get in touch today.