What is Microsoft’s Intune – and how well does the UEM tool really work?

Microsoft's unified endpoint management offering, Intune, has the potential to reduce time and effort managing desktop and mobile work environments. But it's not without its own set of problems, according to users.

1 2 Page 2
Page 2 of 2

As a pharmaceutical company governed by strict regulations, Merck has to be keenly  focused on data security and believes it can take advantage of the automated processes built into Intune, such as automated document quarantining, to keep data safe.

"We've set up list of standards and requirements that every mobile device must achieve before they can gain access to any corporate data or applications. So, we also feel it would be a nice add-on to our focus on user validation and security," Jandoli said. "There's a lot of capabilities already inherent in the product itself that could provide some of these capabilities without building customized scripts."

Many organizations have created complex layers of scripting and policies to automate the configuration and deployment of PCs, most notably for Windows devices, according to Gartner. Those scripts and policies often don't translate well in a UEM environment, meaning new processes and tools have to be found, tested and implemented before they can move ahead.

Carhartt tries Intune, runs into problems

John Hill, CIO for work clothes manufacturer Carhartt, used Intune to manage its mobile phone environment as part of an Office 365 rollout. But after running into several issues, his team abandoned it for a more comprehensive platform.

(Carhartt has 1,850 Windows PC clients, 300 corporate-issued smartphones and 200 phones under a BYOD policy; 95% of the smartphones run iOS.)

As part of a 2016 upgrade to its internal security program, Carhartt rolled out Intune through its Microsoft enterprise agreement. Hill admits he hadn't done a lot of research and assumed Intune would be easy to plug into his existing Microsoft environment.

intune device administrator screen Microsoft

Intune's control panel for device administration where security parameters can be selected.

Chris Walker, Carhartt's director of infrastructure, said the company leans more toward a BYOD policy, so a MAM strategy was appealing since the hardware platform used by employees would be moot. Problems with Intune mounted, though, and Carhartt eventually limited its deployment to its mobile environment.

"We had so many problems with mobile that there's no way I was going to add desktop to it," Walker said.

Most of the issues involved policy control, policy deployment and overall administration, Walker explained. He would run into random end-users losing access to all corporate applications and data; the IT staff then had to uninstall and reinstall Intune on the device or move the users out of a group and back into the group to regain access.

Hill said he even reached out to two different industry partners who had existing Microsoft practices for advice and help. Neither were able to solve the issue.

Another problem Hill described as "absurd" involved using too few management tools on Intune, which resulted in all the mobile and application controls being deployed at once. Because the company has a BYOD policy, and "80% of corporate-issued devices are used for personal" communications, Hill said he didn't want to have phones wiped of all data because they were misplaced or a wrong password was entered too many times.

"We didn't want to have an effect on those other things: their contacts, their personal pictures and those things that make people cagey about having a management tool on their phone," he said. "We were apparently doing too little for device management and that was apparently partially causing our issues. You should be able to load an MDM [toolset] and literally be able to turn every policy off.

"We were just trying to streamline things. That's how InTune is built; it has a list of 100 different options and you just turn them on or off. We were unable to reduce the controls," Hill added.

About 10 months ago, Carhartt gave up on using Intune-only licensing and piloted – and later purchased – Microsoft's Enterprise Mobility Suite, which includes an Intune license while also offering MAM.

"It went really well and was easy to deploy. So, we essentially got rid of the independent Intune licenses and went all EMS, which gave us all those capabilities," Hill said. "That made life so much easier. Whatever apps you put in the container – and only those – is what is affected, without impacting the rest of the device."

One issue the company is still working out is the ability to support Windows, Apple and Chrome devices under one management console. "You really need three solutions to manage that," Walker said.

"The companies don't play well together. Maybe it's intentional," he added.

Brother International adds Intune to a cloud consolidation plan

Tony Serignese, vice president of Information Technology at Brother International Corp., said his company also rolled out Intune to manage its mobile device environment. After deploying Office 365 four years ago, he later learned one of the licensing packages included Intune.

So in 2016, the company rolled it out, along with Microsoft Azure.

It's using Intune only for basic MDM, but the company hopes to have a more comprehensive management program once Windows 10 is fully rolled out. Currently, Brother has 1,800 Windows desktop clients running a mix of Windows 7 and Windows 10 along with nearly 500 mobile users, most of whom are on iOS, with a smaller percentage on Android.

Prior to using Intune, Brother had used MobileIron's MDM platform for several years. But as the number of mobile devices used for work-related functions increased, so did the cost of licensing the software.

Cost biggest Intune driver, but support lacking

"The support we had wasn't really good, either," Serignese said.

"The support for Android at the time was not as robust compared to Intune," said Kai Fan, a network systems infrastructure administrator. "For example, we'd have to download separate apps in order for email to work on Android. And for Intune, with the Outlook app, we could configure a native email client on an Android [device]."

Cost, however, was the main driver – that, and consolidating systems on Microsoft, Serignese said.

"The good thing is it won't cost me any more money; it's part of our [Office 365] licensing agreement," Serignese said.

One of the IT team's complaints, however, involved problems generating reports.

"They need to improve their reporting," Fan said. "You know the devices that are on it, you can see all that, but to do anything with the data – that's very difficult."

For example, Fan said, just pulling up a list of all the Android apps running on devices was an arduous task in Intune. "It should be something easy to get," Fan said.

Another complaint was how much manual work the installation required to complete. It took the department two months to deploy; Brother would hold "Intune deployment parties" twice a week, pulling in end users from pre-determined departments.

Intune took about 15 minutes, per user, to set up. "The most time-consuming part was people figuring out what their Apple ID was," said Kirit Nayee, Brother's senior technical lead for Microsoft and cloud platforms.

Implementing Intune's configuration and topology, however, was pretty straight forward, as was setting its management policies, according to Fan.

Moving to cloud-based services has been an ongoing theme at Brother, which now uses external services for both its ERP and CRM environments; it's also planning a move to Amazon Web Services beginning next spring.

"I can say for the guys in my office, there are so many more exciting things to do than worry about memory in a server going bad or did the backup run last night," Serignese said.

Using a cloud-based mobile management platform like Intune has given the IT shop a greater sense of control over its mobile environment – and new security capabilities that weren't available on its previous in-house MDM platform.

"We're just now starting to look at the security aspect of Intune," Serignese said. "By moving to it, there's a lot more capability we can look at and not have to buy yet another product."

Copyright © 2018 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Download: EMM vendor comparison chart 2019
  
Shop Tech Products at Amazon