Intune is Microsoft’s cloud-based mobile device management (MDM) solution. It provides agentless management for devices and is hosted in Azure – which means it doesn’t require on-prem infrastructure nor will it need VPNs to manage devices.
How does Intune work?
Intune is hosted in the Azure cloud and its management console can be accessed via a web browser, like Edge or Chrome. Much of the Intune functionality is policy-driven, which includes the following:
Device profiles for initial deployment and configuration
Configuration policies for devices and applications
Compliance policies that work with Azure Active Directory (Azure AD) to help vet conditional access to application and company data
Furthermore, policies and profiles can be deployed over the air to groups of devices or users based on what the administrator specifies. Also, profiles for initial device configuration and deployment can be distributed to Windows devices through Autopilot (or to Apple devices through Apple Business or School Manager).
What OSes are covered with Intune?
Intune can manage the following OSes:
Windows 10 and 11
Android 8.0+, Android Enterprise
Apple macOS 10.15+, iPadOS 13.0+, iOS 13.0+
Does Intune work with third-party software?
Intune is geared toward making it easy to patch Microsoft products. While there are some ways to update third-party apps, it costs time and/or money to make it happen.
Since Intune doesn't patch third-party applications natively, users often purchase add-on products from third-party providers to extend Intune capabilities to cover third-party application patching.
Also, Intune doesn’t support Linux operating systems nor does it help with Windows Server. This leaves organizations running SCCM (or another tool) to manage Windows Server and Linux, which usually means they have duplicative workflows and require on-prem infrastructure.
What can Intune do?
Intune’s primary use case is for more modern device management over SCCM, as it eliminates some of the requirements SCCM has like a VPN connection to the domain and (typically) on-prem infrastructure. Many organizations run both Intune and SCCM together since not all operating systems commonly seen in the enterprise are covered by just one of these tools.
But Intune can also manage bring your own device (BYOD) endpoints without requiring an agent to be installed – something that may not be permitted or possible for non-corporate owned devices.
Additionally, organizations can use Intune to deploy software to devices that use OS-specific app stores (like Apple, Google (for Android), or Microsoft stores).
However, getting a comprehensive inventory of applications on a Windows device can be tricky. That’s because Intune only detects MSI-installed applications. So other methods (like .exe) might not be reflected in device inventory and may be more difficult to manage as a result.
Now, Intune does integrate with Azure Active Directory. That means administrators can create and enforce compliance rules, such as enforcing an updated operating system (OS) version, via conditional access for users and devices. In other words, Intune can restrict access to company applications and data if the compliance criteria are not met.
Remember, Intune is an MDM, which means it can also provision Windows and Apple devices “over the air” without an agent, using Windows Autopilot or Apple Business/School Manager. This ensures new devices are ready for an employee’s first day, without the IT team ever touching the device.
Intune can also help with patching and reboots for Windows devices. But it falls short with Apple – specifically macOS. Administrators can modify update visibility in macOS with Intune, but Intune doesn’t have tools to enforce updates and reboots with macOS. So if timely update compliance with macOS is an important part of your IT and security program, you should absolutely consider other solutions.
What are the licensing requirements?
To license Intune, you’ll need to have purchased one of the following bundles from Microsoft.
Microsoft 365 E5
Microsoft 365 E3
Enterprise Mobility + Security (EMS) E5
Enterprise Mobility + Security (EMS) E3
Microsoft 365 Business Premium
Microsoft 365 F1
Microsoft 365 F3
Microsoft 365 Government G5
Microsoft 365 Government G3
Intune for Education
Do you need other software to use Intune?
To use Intune, your computers must be connected to Azure Active Directory, which is a cloud-hosted Active Directory. Historically, this has only existed on-prem. Thus, your devices must either be purely Azure AD-joined, or Hybrid Azure AD-joined (a combination of on-prem AD and Azure AD).
To use features like automatic MDM enrollment in Intune, you’ll need Azure AD Premium, which requires the purchase of an Enterprise Mobility + Security (EMS) subscription.
Should you use Intune?
The most important thing to understand is that Intune is an agentless solution, this is generally what mobile device managers (MDMs) are. So you have to consider if it’s reasonable to manage your entire estate with an agentless solution, or if a blend of agent-based and agentless management is best. Agentless solutions can be helpful for BYOD devices or for touchless provisioning, but the level of control an agent-based solution offers is greater than agentless solutions.
With Intune (and other agentless solutions), you’re restricted to what controls the OS has made available through Windows Autopilot or Apple Business/School Manager, as well as what the MDM solution has enabled in their UI for control.
For example, Intune doesn’t have a control available for reboots and shutdown of macOS yet. But an agent-based solution may be flexible enough to easily script such an action.
Also, if you have servers, Linux-based or Windows Server, you won’t be able to manage them with Intune. So you might want to consider other solutions. If you opt for Intune anyway, just be prepared to manage servers and laptops/desktops with other tools.
However, if managing and enforcing third-party updates is a priority, you’ll definitely need another solution or a third-party add-on purchase to accompany Intune.
In the end, Intune can be a great tool to help modernize your device management capabilities and eliminate some on-prem infrastructure. But the solution itself likely won’t meet all needs of a modern organization that requires control over servers, third-party apps, and more via the cloud.
Automox for Easy IT Operations
Automox is the cloud-native IT operations platform for modern organizations. It makes it easy to keep every endpoint automatically configured, patched, and secured – anywhere in the world. With the push of a button, IT admins can fix critical vulnerabilities faster, slash cost and complexity, and win back hours in their day.
Grab your free trial of Automox and join thousands of companies transforming IT operations into a strategic business driver.
