Intune and your mobile journey

by Niklas Tinner a month ago 10 min read

Introduction

iOS and Android are the most common platforms for mobile endpoints 📲. Of course, also those endpoints need corporate apps, security policies and need to fulfill compliance requirements and more. Management via Microsoft Intune is a common way for organizations to control and monitor their mobile devices easily from the cloud.

This post discovers foundational theoretical principles in the mobile endpoint management world and describes solution concepts and important considerations.

Motivation for mobile management

Why you should manage mobiles via Intune:

🛣️ Standard setup and experience of iOS and Android smartphones and tablets
🔐 Ensure security and protect data
🔖 Deploy corporate apps needed for work
🔭 Monitor your mobile devices on compliance, health and system status

Platforms

iOS and Android are foundational different operating systems, but they all run on mobile device factors like smartphones, tablets or within other appliances. Let's wrap up the key differences, because they also have an impact on how the management works:

	iOS 🍎	Android 🪅
Vendor	Proprietary mobile operating system developed by Apple, offering a consistent user experience across all Apple devices	Open-source platform developed by Google, allowing for greater customization by manufacturers and developers
Ecosystem	More unified hardware and software ecosystem	More flexibility and diversity in the hard- and software
OS	Offers a more streamlined and uniform user interface, with limited customization options	Offers greater flexibility in terms of customization, allowing users to personalize their device's interface, install custom ROMs, and access system files.
Services	iCloud	Google Services (on most Android devices)
Apps	App Store is the exclusive marketplace for iOS apps (except in the European Union)	Play Store and sideloading of apks
Management	Requires Apple Push Notification Certificates and Management Profile	Requires Managed Google Play

💡

Multiple Android versions are supported by Intune. Android Enterprise is the go-to platform. Android Open Source Project (AOSP) is fully open source and does not include Google Mobile Services (GMS) or any other proprietary software.

Concepts

Let's jump into some concepts that are important to understand to define your mobile journey!

MDM & MAM

First, we need to understand the difference between:

Mobile Device Management (MDM)
Mobile Application Management (MAM)

	MDM	MAM
Management of the	Device	App only
Enrollment	via Company Portal or from device setup like: 🍎 iOS = Apple Automated Device Enrollment 🪅 Android = Android Enterprise	Open the app, register the device to Entra, and install broker app: 🍎 iOS = Authenticator App 🪅 Android = Company Portal
End user effort	User enrollment (no device reset) takes a few steps from Company Portal to register device and install management profile	Just sign into the app, register the device and restart the app
Configuration options	All options can be configured	Not possible -> use app configuration profiles, that are app based
Security options	Apply system security baselines or configurations	Apply data protection, access requirements and conditional launch
Compliance options	Apply Intune compliance policies	Check access requirements
App deployment	✅ Supported	🚫 Not supported
Retirement	Retire, wipe, delete the whole device	Wipe app data only via Intune portal
Conditional Access	✅ Supported: Require compliant device (requires compliance policies)	✅ Supported: Require App Protection Policy

When to use what?

Reality shows, that MAM is sufficient for 90% of the use cases, as standard workers often just need access to the core Microsoft apps like Teams, Outlook and the whole office suite.

🗒️

Check the following page to see supported apps for MAM.

What are the reasons to manage with MDM?

Protecting the whole device and apps that are not supported by MAM
Device is corporate-owned any only for corporate purposes, or even a single use / Kiosk device type
Deploy apps
Configure more/all system aspects and security
Defender for Endpoint onboarding is needed
Certificate deployment, VPN or network connection configuration built-in

What are the reasons to manage with MAM?

Users with personally-owned devices want to access corporate data securely, no enrollment wanted
Simple & light management with less effort

Ownership

Ownership of the device is another important factor to decide which and to which extent the management of the device makes sense. A device can either be corporate or personal owned. Probably you don't want to manage these devices equally and apply more strict policies to corporate-owned devices. Also, a personal device is usually not intended to be fully managed, monitored and restricted, because it is not a corporate resource. The differences on the platforms for MDM are the following:

iOS 🍎

Corporate owned
- Device Enrollment: More control over the whole the device
- Automatic Device Enrollment: Supervision allows for additional over everything - control over the device and its configuration - learn more
Personally owned
- User enrollment (Account driven): monitor and configure basic system

Android 🪅

Corporate owned with work profile or fully managed: full control over the device and its configuration, with optional separation between personal and work profile
Personally owned with work profile: a separate work profile is installed and all settings, apps and data will reside in just this work container

ℹ️

Check out this docs article to get an overview of what data you can (not) see on an enrolled devices.

Access control: Conditional Access

To control access for both MDM or MAM, you should implement a Conditional Access policy that validates the access requests to any Microsoft 365 service is coming from a managed device or app. Read more about Conditional Access

Access grant options

From a technical perspective there are the following grant controls which ensure an access is secured by either MAM or MDM. (some are only applicable to certain OS types) This is included in the grant option and should be set to "require one of the selected controls".

Policy design

This Conditional Access Policy require MAM or MDM would look like this:

	Configuration
Users	Include: All Exclude: Break Glass admin
Target resources	Office 365 + any other app that should only be accessible from a managed mobile
Conditions	Device platforms: Android, iOS Client apps: Mobile apps and desktop clients
Grant	-Require device to be marked as compliant -Require app protection policy >Require one of the selected controls

Additional: Protecting apps accessed from the browser

You may now ask how to protect Microsoft 365 or other apps from browser access. The answer is: Conditional Access App Control (read my dedicated blog post about it) with Microsoft Defender for Cloud Apps to control the browser session on any device.

This is allows you to monitor or control app access and set granular policies through Defender for Cloud Apps such as restricting cut/copy paste, require elevated authentication (MFA), secure up- and downloads or other activities. Read the Microsoft docs

Overview

Describe the management aspects

❗

Disclaimer: MDM and MAM are not fulfilling all data protection requirements. Management of the device or app is only a security measurement and reinforcement. In terms of data protection, you should always strive for Azure Information Protection.

MDM 📱

Mobile Device Management includes to configure system aspects, apps and data on the device-level. In a nutshell MDM allows to:

Enroll the whole or user part device into Intune - corp data is isolated and separated from personal area (both platforms)
Apply system settings, policies and profiles, including security
Verify with compliance policies
Deploy apps

Enrollment

Enrollment is the process to connect your device with Intune and make it manageable. The enrollment includes a authentication part, which is backed by Entra ID. Before you can enroll, you should check out the MDM authority and enrollment restrictions.

iOS 🍎

Corporate owned: Apple Automated Device Enrollment (ADE) or Device enrollment
Personally owned: Account driven user enrollment, authenticate with your Entra ID/Managed Apple ID federated account, start the enrollment, install the management profile (Apple)

Android 🪅

Corporate owned: Android Enterprise Enrollment | Android
Personally owned: Download the Company Portal from Play Store, authenticate with your Entra account, start the enrollment Android Enterprise personally owned devices with a work profile

Configuration

Configuration includes settings in policies that define system behavior, look & fees and more. In Intune we mainly use the Settings Catalog or Templates for this.

Security

Security is first of all defined by the platform security - so which security features and measures the platform, including hardware and OS provide. Check out Apple Platform Security guide and Android Enterprise Security for more information.

To ensure security with Intune, you should focus on system security settings, provided through configuration. Select a security framework and apply the recommended policies. (More about Intune security)

STIG: iOS | Android
CIS: iOS |Android
Microsoft Security Configuration Framework: iOS | Android

Compliance

Compliance policies are essential to ensure that devices which access corporate resources meet security and system requirements. Compliance policies are audit only and should be combined with Conditional Access to define the access. They check device health and system security. Actions for noncompliance can be defined, such as send a push or email notification, lock or retire the device. Read my post on Intune compliance

App deployment

Apps are the reason why we want mobile devices. With Intune we can centrally deploy, install automatically silent or make available apps from different sources.

iOS 🍎

(Apple) Store app
Web clip
Web link
Built-In app
Line-of-business app
Apple Volume Purchase Program (VPP) - acquire Apps directly from Apple Business Manager and deploy to devices without needing an Apple ID

Android 🪅

Android store app
Managed Google Play app
Web link
Built-In app
Line-of-business app
Android Enterprise system app

MAM 📥

Mobile Application Management does only control configurations, look & feel within an app. It is important to mention, that MAM is independent of the underlying device. In short it includes:

Configure app settings
Protect data in the app
Define access and launch conditions of the app

App protection

App protection policies are here to protect corporate data in managed apps and is part of Microsoft's MAM solution. These are available for iOS/iPadOS, Android and Windows 10 and later. These policies are usually applied when the device is not corporate managed and also hold personal data. The danger is that corporate data could be exfiltrated to other workloads on the device. App protection policies consists of three sections:

Data protection - the protection, settings and functions in the corporate app or for sharing with other apps
Access requirements - defines how to corporate app must be started
Conditional launch - sets actions when certain requirements are not met

To adapt this service, I would recommend the Data protection framework using app protection policies from Microsoft, which is graded in three levels: Level 1 enterprise basic data protection, Level 2 enterprise enhanced data protection, Level 3 enterprise high data protection.

App configuration

App configuration policies have the capability to define settings and look in a corporate app that was deployed to an Intune managed device or has the Intune app SDK integrated or was wrapped. These can help to improve and streamline the user experience.

Getting started

If you want to start your mobile journey with Intune, I recommend you to get as much hands-on experience as possible. The technical part is not everything, don't forget about gathering requirements from your business to equip them with the right mobile setup. Ask these questions to identify which mobile device setup would be right:

General

Is the device corporate or personal owned?
Which OS is used?
Which corporate apps should be accessed? are the Intune MAM supported?

MDM

What device is desired? (low/medium/high-end) (form-factor)
Which OS is desired/needed?
For what is the device used? (corporate only/personal/kiosk)
Which security baselines should be used?

MAM

Which apps do you want to protect with MAM?
How much should security and usability be balanced?

Prerequisites

Licenses: Intune Plan 1
Roles & permissions: Intune administrator
Android: Managed Google Play Account linked to Intune
iOS: Mandatory: Apple Push Notification system certificate (APNs) | Optional: Apple Business or School Manager | Optional: VPP token
Verify Intune MDM authority and Intune enrollment platform restrictions

❗

The Apple Push Notification system (APNs) certificate must be renewed anually. If it expires, you need to re-enroll all devices.

Start with Intune management

After you collected your use cases and requirements and know what's possible you can start with a proof-of-concept implementation of policies for mobiles. Please ensure you meet all the prerequisites and have your Intune tenant settings configured correctly. I would generally follow these steps:

Define the use case
Choose an enrollment option - get overview here
Plan for configuration and compliance policies and app deployment
Implement policies
Pilot the proof-of-concept
Feedback collection and prepare to roll out
Roll out use case / provide to end users

ℹ️

End user guides are recommended to ensure the enrollment and operations are handled correctly and everything is understandable for employees.

powered by