January 16, 2024
Mindsight Solution Architect Nick Stover is an expert on lots of things, including Microsoft’s popular device management solution Microsoft Intune. We asked him to give us a detailed rundown of how it works and why more organizations are adopting it. Nick will also be discussing Intune during a February 1st Mindsight event in Chicago that he’s co-hosting with Mindsight cybersecurity leader and senior solutions architect Mishaal Khan.
On Why Intune Is Unique
In terms of differentiators, the biggest one may be that Intune licensing may already be owned if a client is in Office 365. Intune Plan 1 is bundled in with many of the Office 365 plans today. So company’s may have the ability to enable the service at no additional cost. I think that’s certainly a unique identifier. The other is that it has direct integration with many other Microsoft services that other MDMs simply just don’t have. These integrations include the Windows Defender suite of products, Azure Arc and RemoteHelp to name a few. Also, you have the ability to implement app protection policies to native Office 365 applications.
On Why Intune Adoption Is Increasing
Adoption has increased for two reasons. One, because it is part of that existing Microsoft licensing; clients are becoming aware that they have this tool and might as well see how it works. Most clients using Exchange have migrated to Office 365 already and are primed to take advantage of this offer. Also, if they can offset their third-party MDM, that’s one less bill to pay.
Another big factor has been the Covid pandemic and the increased number of businesses adopting a remote work or hybrid work model. One of the key benefits of Intune is that it does not require a line of sight to a domain controller in the same way GPO management or other third party MDM’s do. It doesn’t require endpoints to be connected via VPN or even be on the corporate network, giving the organization flexibility in managing their endpoints. In that same notion, Intune is also a replacement for traditional group policy-based management or can be leveraged in co-management mode with your existing group policy as most organizations use traditional group policy management. You can push those same policies with Intune, but you don’t need to be on-network.
On Intune’s Built-in Security Features
Intune plays a critical role in security for most organizations. Intune can push different compliance or configuration policies down to a machine. For example, let’s say you want to harden the operating system or update applications on a remote machine. You have the ability to do so. Let’s say an issue comes up with a particular piece of software or application installed on a corporate workstation. With Intune’s integration with Defender and conditional access, you are able to identify the risk, block access to your corporate resources until the vulnerability is resolved, and patch and update that machine or application to bring it back inline with your compliance policy.
This can expand into data and application protection policies. So, you’re controlling how the users operate or touch your data from mobile devices, essentially creating separate profiles where the data is not, in fact, stored or mixed in with the personal profile, giving the organization complete control of the data at all times.
On Which Types of Organizations Are Adopting Intune
Adoption is widespread. I wouldn’t say there is a specific vertical adopting it more than others as the use cases are unique for each. I have seen financial and accounting institutions using it more recently as well as manufacturing and healthcare.
Overall, institutions that are higher on security and compliance have been faster to adopt Intune because it solves a variety of needs. Not necessarily just mobile device management, but also compliance requirements. Maybe they need to be NIST compliant, for example. You’re able to apply those baselines through Intune rather easily.
On What Goes Into Implementing Intune
The beautiful part about Intune – as well as a double-edged sword – is that as with most cloud-based services, is there’s really no infrastructure for you to stand up or configure. It’s ready more or less out of the box. You enable the Intune service, set up the initial policies, and you’re ready to use it.
With that said, Intune can be complex to configure for those that do not have experience. It’s more intuitive than SCCM, for example, but it can be daunting to configure for the first time for any organization.
There can be inadvertent side effects in terms of how you set up your organization relationship. For example, how are your devices ultimately synchronized, whether they are hybrid joined or AD joined and the pros and cons of each. There is also the question of whether the device is corporate owned or personally owned and the desired level of control over each. The device relationship with Office 365 matters and can make or break an Intune deployment. Getting that initial relationship set up is very important to the success of the overall deployment. So, you need an internal team or an MSP like Mindsight. Most people nowadays are very comfortable with implementing group policies. That didn’t happen overnight; that happened over time. It’s the same thing with Intune. You’re still setting up those same policies, but you’re setting them up in a different way, so it just takes time to learn the methodology.
Again, planning is very important — getting it right from the initial setup in terms of how your devices are going to interact with Office 365 services. There are also going to be custom configurations required for some third-party applications to make sure that you’re able to deploy them with Intune. So, it takes a little bit more time pushing out policies and testing their impact before ultimately rolling it out to the rest of your organization.
Additional Intune Features to Know About:
If organizations have old MDT imaging or maybe they’re using SCCM to image devices, Autopilot is something to investigate. Intune and Autopilot can control the entire lifecycle of an endpoint – from deploying the initial image to resetting it back to the out of box experience. Autopilot also has a feature called OEM registration allowing organizations to purchase devices and have them ship directly from the vendor to the end user, eliminating the need to ship it to your organizations IT department for preparation.
The other thing to understand is that this is like the modern iteration of SCCM if you are using SCCM to image machines without the need to build on-premises infrastructure. Intune eliminates that.
Endpoint Privilege Management
A large area of concern is giving users administrative controls on their workstations. So, generally, companies either do one of two things:
Either they don’t allow them admin access on their machines and IT has to do everything on that device for them, or they allow them complete admin privileges. Users then have complete control to install whatever they want on that machine, which is not ideal. Through Intune, there is a new feature set where you can essentially elevate privileges upon request for specific needs so that users can ultimately complete whatever installation they need, without giving out over arching admin permissions to the entire device.
If you’d like to learn more about Intune and its security features, join us on February 1st at Gibsons Steakhouse in Oak Brook at 11:00am CT. Seating is limited so register today!
Mindsight is industry recognized for delivering secure IT solutions and thought leadership that address your infrastructure, cybersecurity, and communications needs. Our engineers are expert level only – and they’re known as the most respected and valued engineering team based in Chicago, serving medium-sized to enterprise organizations around the globe. That’s why clients trust Mindsight as an extension of their IT team.
Visit us at http://www.gomindsight.com
About The Expert
Nick Stover earned a Bachelor’s in Computer Science with a core focus on Network Security from Northeastern Illinois University. With over 10 years of comprehensive experience in designing, supporting, and administering IT system infrastructure, Nick has a vast amount of experience in migrating production workloads to the cloud in addition to designing cloud solutions for clients based on business needs.