Microsoft Endpoint Manager: What Intune's successor does and how it works

Microsoft's unified endpoint management offering, Endpoint Manager, is designed to reduce the time and effort needed to manage desktop and mobile work environments. Here's what it does.

mobile computing / devices / connectivity / mobile management / BYOD
PeopleImages / Getty Images

Microsoft's Endpoint Manager combines Intune and System Center Configuration Manager to reduce the time and effort IT admins need to manage desktop and mobile work environments.

As businesses look to give employees flexible work spaces, whether on desktops or mobile devices, in the office or out in the field, IT shops have had to scramble over the past decade to consolidate the management of hardware using a single console.

With that IT goal in mind, Microsoft in 2011 launched its Intune cloud service to address the emerging enterprise mobility management (EMM) needs of businesses. Eight years later, in 2019, Microsoft decided to join its Intune unified endpoint management (UEM) platform with its Configuration Manager (ConfigMgr), enabling users to access both with just one interface.

The combined products — known as Endpoint Manager — make licensing for Intune available to all ConfigMgr customers to co-manage Windows devices. Between the two cloud services, more than 200 million devices are now being managed, according to Microsoft.

Along with a single management interface for ConfigMgr and Intune, Endpoint Manager includes the Device Management Admin Center (DMAC), Windows Autopilot, and Desktop Analytics.

Windows Autopilot Microsoft

Windows Autopilot is designed to make it easy for users to set up new devices without IT help.

The software gives IT admins on-premises and cloud management tools as well as co-management options to provision, deploy, manage, and secure endpoints — desktops, mobile devices, and applications— across an enterprise.

Simply put, Endpoint Manager is designed to make it easier to manage a variety of devices in a way that protects corporate data while still allowing employees to do their jobs using both corporate and personal devices. It combines mobile device management (MDM) capabilities with mobile application management (MAM) and, while obviously tied to the Windows ecosystem and other Microsoft products, it can manage hardware running other operating systems, including macOS and iOS and Android.

Microsoft also envisions Endpoint Manager being used to manage Cloud PCs as part of the company's Windows 365 venture unveiled in mid-2021.

The rebranding Intune as Endpoint Manager initially caused some confusion because of the tools’ overlap. However, companies that use Endpoint Manager now understand the full suite of capabilities available to them, said Dan Wilson, senior director analyst at Gartner. 

Combining Intune and SCCM/ConfigMgr in some ways was Microsoft's answer to questions about whether traditional PC management was finally dead. (It’s not.)

Traditional management tools will continue to play a role in co-managing PCs that require routine lifecycle tasks such as disk imaging and MDM, said Wilson.

“2020 increased and accelerated adoption of co-management and cloud management of endpoints, as well as federation of the Configuration Manager and Intune consoles via tenant attach,” he said.

As a subscription service, Microsoft charges companies on a per user/per month basis. Pricing starts at $10.60 per seat as part of Microsoft's Enterprise Mobility Suite, which includes the Azure Active Directory, Azure Rights Management Services, and Advanced Threat Analytics.

How does Endpoint Manager fit into the EMM and UEM market?

When Intune arrived, companies were still in the throes of figuring out how to manage the sudden onslaught of devices accessing corporate data and networks — fallout from the bring-your-own-device (BYOD) trend that took off after the release of Apple's iPhone in 2007.

Driven by corporate BYOD programs, hardware management has been shifting away from a Windows-dominant world to one that is increasingly diverse and includes iOS, Android, and Apple devices. As more worker tasks are carried out on mobile devices, the momentum behind unified endpoint management (UEM) grows, since all user-facing devices can be managed via a single console.

Gartner Endpoint Management Gartner

Gartner's look at the evolution of endpoint management.

By 2022, Gartner said, 50% of company-owned Windows 10 PCs will be managed using EMM software or UEM tools. That should help companies boost operational efficiency. The difficult part for many will be choosing whether to use something like Intune or cobble together a management ecosystem built on software from a number of third-party vendors.

To be successful, any comprehensive UEM system, according to Gartner, needs to integrate with client management tools and meet the following objectives:

  • Provide a single console to configure, manage, and monitor traditional mobile devices, PCs, and device management of IoT assets.
  • Unify the application of data protection, device configuration, and usage policies.
  • Provide a single view of multi-device users for better end-user support and to gather detailed workplace analytics.
  • Act as a coordination point to orchestrate the activities of related endpoint technologies such as identity services and security infrastructure.

The big difference between MDM and UEM: The latter envisions managing desktop hardware as easily as mobile devices, and can handle multiple operating systems, both desktop and mobile.

The majority of vendors whose software allows UEM come from the MDM and EMM market, and many have been adding Windows management capabilities over the past couple of years.

Many of these have expanded to support Chrome OS and macOS platforms, positioning them to take on the management of multiple types of traditional endpoints, alongside the mobile endpoints they manage.

Client management tool vendors have generally been a bit slower to build out extensions to their PC management tools so they can also handle mobile devices and modern OSes.

“The 2021 UEM market includes more traditional client management vendors who added agentless management of modern PC operating systems and mobile devices,” said Wilson. “Traditional MDM/EMM vendors are focusing more on device-agnostic secure workspace and security-centric mobile device use cases, rather than continued development of PC management capabilities.”

“Operating system diversity is more important as increased adoption of Chrome OS and Linux are driving additional demands for increased support from UEMs,” he said. “Improved macOS support is also important, as UEM [vendors] work to reduce the functionality gap between themselves and Apple-centric management tools.”

In addition to Microsoft, other vendors offering UEM solutions include BlackBerry, IBM, Ivanti (which acquired MobileIron last year), and VMware, according to Gartner’s 2021 Magic Quadrant report for UEM.

What can Endpoint Manager do?

Through Endpoint Manager's console, IT admins can execute a UEM strategy where end users can be onboarded through any hardware platform, and rules can be applied governing which applications and what data they can access. UEM uses MDM APIs on mobile platforms to enable identity management, wireless LAN management, operational analytics, and asset management. In theory, at least, UEM enables IT to remotely provision, control, and secure everything from smartphones to tablets, laptops, desktops, and now Internet of Things (IoT) devices from a single console.

Endpoint Manager Microsoft

This is how Microsoft describes the relationship between Endpoint Manager and Intune.

Some UEM products also allow mobile application management (MAM), letting IT admins control access to specific business apps — and the content associated with them — without controlling the entire physical device.

Many of the basic application and system provisioning functions required for business laptops and PCs running Windows can now be done through that operating system’s EMM control consoles, which are enabled by Microsoft's Intune protocol. That means organizations with more recent Windows PC deployments can use consolidated management tools and unified policy and configuration platforms via UEM.

For example, the software's integration with Microsoft's Azure AD and Azure Information Protection enables admins to classify (and optionally protect) documents and emails by applying access rules and conditions. And Intune's integration with Azure Data Protection lets admins include watermarks on any images taken with a mobile device, whether company-issued or used via a BYOD corporate policy.

To make device management easier — especially for Windows-based shops — Microsoft added native EMM functionality to Windows 10 via Intune in 2019. 

In all editions of Windows 10, including those for desktop, mobile, and Internet of Things (IoT) hardware, the client provides a single interface through which Intune can manage any Windows 10 device. (Microsoft has said the management tools that work in Windows 10 will also work in the upcoming Windows 11, though it has offered few details.)

Intune enables conditional access, including denial of access to devices not managed by it or compliant with corporate IT policies, management of Office 365 and Office mobile apps, and management of PCs running Windows Vista or more recent Windows releases.

An open API also allows third-party software providers, such as SAP, to wrap their application access controls into Intune's UI.

Many of the basic application and system provisioning functions required for business laptops and PCs running Windows 10 and 11 can also be performed through EMM control consoles. Endpoint Manager works with agent-based SCCM to support more advanced PC and server management capabilities.

(The primary subscription includes usage rights to SCCM, which allows organizations to manage PCs and mobile devices through the same management console — another benefit of a UEM strategy.)

Microsoft has announced a range of updates to Endpoint Manager in recent months, including Endpoint Analytics reporting in the admin center. It provides insights into device performance, helping IT proactively address policy or hardware issues that could affect users before they raise a help desk ticket.

Microsoft also introduced Tunnel, a VPN gateway for Intune that enables Android and iOS devices to remotely connect to on-premises apps and resources; and in June 2021, support for Android Enterprise work profiles, which can separate work and personal data on corporate-owned devices.

This article was originally launched in September 2018 and most recently updated in August 2021.

Copyright © 2021 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon