A touch on Intune
This blog is mostly about Intune Endpoint Management. Modern Workplace and Mobile Device Management (MDM), with a special focus on security.
This post will treat a high-level introduction to Microsoft Intune. The audience are people that are new to specifically Intune. You don't need to have a high technical understanding but may be familiar with some products, that Microsoft offers. The idea is to give a starting point and refer to other posts that give more detailed information.
What is Intune in the Microsoft Cloud?
Let's start with the fundamentals. The Microsoft Cloud is nothing else than datacenters all over the world, that provide all kind of IT products/services and resources.
- Microsoft 365 is a multitenancy SaaS (Software as a Service) model
- Azure is a platform that hosts all Microsoft Cloud services
- Intune is an Azure SaaS product, that is located within the Enterprise Mobility + Security suite
What is Intune?
Microsoft Intune is a cloud-based Mobile Desktop Management (MDM) solution, that enables organizations to enroll, configure, update and monitor device endpoints and manage applications.
Why should you use Intune?
There are common factors that are a drawback for a previous MDM systems and profits for Intune:
- Previous system administration and operation overkill
- Few or no updates were made (OS/security/update)
- A conflict to the contemporary enterprise strategy
- It's a Microsoft product, many other products live in their ecosystem (servicejungle, e.g. AzureAD, Defender suite)
- Up-to-date from every angle
- Simplicity & automation options
- (License)costs and future-proofness
- Manage devices
- Configurations and scripts
- Endpoint Security
- Antivirus/Disk encryption/Firewall/Endpoint Detection & Response/Attack Surface Reduction/Account Protection
- Include Win32 packages
- Windows Store
- Analytics to compliance, update and security
- Compliance integrated
Endpoint manager admin center
This is the Endpoint Manager Admin Center, which is the central portal for all tasks.
The next thing to consider is the Enterprise Join type. You can go for Hybrid Azure AD Join (with on-premises components) and Azure AD Join (cloud-only). With an Active Directory Domain Services join, you will need connector services, though there are more possibilities in a Hybrid environment.
There are 3 main ways to control endpoints:
1. Device configuration profiles
Here you can configure everything that happens on the system. (formerly group policy objects, but in Intune there is a wider range of configurations and settings.)
You can natively embed Powershell scripts to do certain tasks.
3. Compliance profiles
Compliance is measured to the configurations you make compulsory, also specify actions, that are taken, when these are not retained.
Windows feature and quality updates run through scheduled update rings or targeted release profiles. Once the policy is configured, all updates will nearly run without interaction. A common attempt is to define different rings, that delay updates to create an update cycle. First you may have the IT department, subsequently pilot users and then the company.
As you would expect, in terms of security, Microsoft provides industry leading capabilities and lots of products. Intune collaborates to most of them. Endpoint detection and response supplied by Microsoft Defender first-hand (read more about Microsoft Defender for Endpoint) and identity & access management (IAM) solutions from Azure AD are key points.
This is my security guide covering all topics within the Microsoft sphere.
Intune works with some great third-party products, that can be implemented to even rise the technology and automation level.
Teamviewer enables remote support, built-in to the Intune device portal. Read my blog article about TeamViewer + Chocolatey + Intune, a modern attempt for enterprise remote assistance.
I also recommend taking a look on Chocolatey package manaer to install and keep common software up-to-date with a minimal amount of effort.
How to go on
After this introduction, I would suggest following with these posts: