Microsoft's Intune, launched in 2011 and augmented with mobile management capabilities the following year, is part of Microsoft's Enterprise Mobility Suite — a bundle that includes Azure Active Directory and Office 365. At the most basic level, Intune delivers enterprise mobility management (EMM) capabilities in a cloud-based format.
In many ways, Intune is similar to other EMM offerings from the likes of VMware's AirWatch, MobileIron Cloud and IBM's Maas360. Like other companies, Microsoft relies largely on the innate EMM and mobile device management (MDM) capabilities already part of the mobile operating systems it supports — primarily iOS and Android (though it can manage desktop platforms like Windows 10 and macOS; more about that later). These capabilities largely create an even playing field for EMM vendors because the same set of security and management options are available consistently.
Microsoft is unique compared to other EMM players in two major ways, however. The first is that Microsoft solutions, including Active Directory, make up the IT stack implemented by most enterprise organizations. The second is that Microsoft makes Office and Office 365, which almost every business relies on. As such, Intune has a deep connection into Office 365, particularly when it comes to licensing, and it lets Microsoft pursue equally deep integrations with Office apps.
Neither part of this unique position means Intune is the best value when it comes to device management, but they are factors to consider for companies weighing EMM options. Other vendors can offer similar full-stack EMM products that interrelate to other enterprise infrastructure components. So if you stick with a single vendor for several parts of your enterprise stack, it makes a degree of sense to select that vendor's EMM solution; Microsoft just happens to be part of a lot of enterprise IT stacks, given it something of a home court advantage.
Under the hood: Intune, Office 365 and Azure AD
With that in mind, one of the biggest plusses for Intune is its deep integration with Microsoft's other two major enterprise cloud solutions: Office 365 and Azure AD. Mobile management tasks can be spread across the administration tools of all three platforms, with some user creation and management done through Office 365 while device and access issues are managed with Azure AD. It's no surprise Microsoft sells all three as an integrated whole. Note: Even if Intune is used without these other Microsoft components, IT admins may still need the web portals for them to use Intune for ongoing management and monitoring.
Eric Geier/IDG
The Azure Intune dashboard.
Intune can also be integrated into System Center Configuration Manager (SCCM). Originally this was done by means of a connector, allowing Microsoft to strive for the sometimes mythical “single pane of glass” ideal. This week, however, Microsoft has announced that this connector-based solution, often referred to as a hybrid implementation, will be retired in favor of a “co-management” approach delivered last year. In these co-managed deployments, SCCM is the main way devices are managed in Intune. (Because it is often the primary interface for many on-premises network and systems management, this integration means SCCM typically takes precedence when the connector is configured, making Intune management a bit more admin-friendly.)
Intune and mobile device, app and content management
For mobile devices, Intune largely follows the capabilities for managing devices, apps and content available to the platforms in use. Microsoft implements Apple's iOS and macOS management capabilities available via the company's MDM protocol (including the Apple Push Notifications service — APNs) and Google's Android for Work. (It also supports Samsung KNOX.) The various policy options and commands that are available — depending on platform and OS version — include device inventory, updates, remote wipe (corporate data or complete device), corporate app deployment, configuration, security rules, and the ability for automated monitoring. Where appropriate Intune also supports conditional access and roles that deliver policies dynamically.
Microsoft
Intune being used to set mobile device enrollment rules.
As with other EMM options, device enrollment can be initiated using the Intune Company Portal app that's available in Apple's and Google's respective app stores.
Using Intune to manage PCs
One major consideration for enterprises is Intune's ability to manage PCs as well as mobile devices. This option is primarily focused on Windows 10, which itself is delivered and licensed much like a service. Intune will smartly differentiate between the desktop and mobile iterations of Windows and, depending on the mechanism of enrollment, can classify PCs as either devices or computers.
That means there's a handful of different PC management options, which may seem like a minor distinction. But the semantic difference is also a conceptual one. PCs can, of course, be configured, managed and deployed using Active Directory Group Policies. This is the traditional option and it's been the basis of PC management (indeed all systems management) for about 20 years. It remains the default for any IT department when it comes to PC management. But, as Apple did several years ago, Microsoft has opened the option to manage not with Group Policies but with MDM policies.
Although no one expects Group Policies to be retired or sharply deprecated anytime soon, it makes sense for organizations to consider whether they would handle PC deployments (new or even existing ones) in an MDM-first environment. Intune's management capabilities in terms of user self-service and enrollment does make sense in some situations, particularly where BYOD is in use or a company is working with outside contractors. That's because MDM is a much more lightweight solution than joining a PC that isn't organization-owned to Active Directory and applying a large swath of Group Policies to it.
How broadly an IT department wants to approach PC management this way will vary. Many companies have a lot of entrenched Group Policies, many of which interact with or depend on one another. The scope and scale of policies in even a moderately sized organization can be quite large, and it's fairly common to have undocumented policies in place that may or may not be relevant down the road.
Migrating all of those policies to Intune might seem like a staggering chore, depending on the complexity of your Active Directory environment. It can, however, be good to at least consider PC management from a fresh angle. (This is true for any major MDM/EMM vendor, not just Microsoft and Intune). Experimenting with these options can lead to much simpler systems administration duties. Migrating even a fraction of PCs to an MDM scheme could also increase performance as fewer policies are required for each PC to boot and run.
Using Intune with Macs
Intune can also be used to manage Macs; macOS management is based on the same MDM protocol and functionality as iOS, though the actual policy options may vary because of the nature of Mac desktops and laptops. As with iOS, Apple's approach means that Intune has a level playing field with other EMM vendors when it comes to the Mac, though it's worth noting that some vendors — particularly JAMF — offer extra Mac deployment and management tools that go a bit further than just the EMM capabilities. As a result, admins should consider the depth of deployment and management they want or need for workplace Macs (as well as those owned by employees or contractors). Intune is certainly a good option and it does allow you to manage Macs alongside other devices and PCs.
The bottom line here: If you have a relatively small number of Macs, it will probably be fine. But if you are an Apple-centric enterprise, you might want to look more closely at other options.
At the end of the day, Intune is a capable and scalable solution for each leg of the EMM stool. Although Microsoft initially arrived a bit late to the EMM vendor circus, it has managed to catch up quickly and is arguably the simplest option, from both technical and licensing perspectives, for many organizations. Whether Intune or another vendor is the best option largely depends on your current IT stack and the direction you want to move overall over the next few years.