In our last blog of this EMS blog series, we wrapped up the discussion around Azure Active Directory Premium. Today, we're introducing the third product of EMS, Microsoft Intune.

No matter where employees happen to be, they always want access to their company content on any device they might have.  Whether it is email access on their phone or company data on their iPad or tablet, it is important to make sure that this access is secure and the devices are protected.  Microsoft Intune is a mobile device management (MDM) and mobile app management (MAM) solution that can help to enable users on all their devices while also providing the level of management that the company needs.

There are a lot of MDM solutions these days, what makes Intune special?

Intune is different from most MDM solutions in two main ways:

1. Intune is focused on Bring your own Device (BYOD).
Most MDM solutions are designed to control as much of the phone as possible, even if it might infringe on the individual user’s privacy.  For example, some MDM solutions can tap into the phone’s GPS and track the device at any time.  While this is useful if the device is company owned, many people don’t want to give that level of control on their personal device just to get their company email.  Intune provides a middle ground that still offers all the security a company might want – requiring passwords and screen lock, remote wipe capabilities, setting email policies and limits, etc - while also ensuring that user’s personal data such as their photos, videos, and personal email remain private.

2. Intune has native connectivity to Office 365, the Office mobile apps, and other Microsoft products.
Many MDM solutions discuss the concept of containerization.  This refers to a process where company data is stored in a separate set of MDM enabled apps that are independent of the phone’s native applications.  This forces users to have two mail apps, two Word apps, and so on.  With Intune, because it is a Microsoft product, that same security is done at the server level via Conditional Access and at the app level for Office and other apps so that users can continue to use the native device applications that they expect while the company can provide the same security via backend controls in Intune.

Conditional access makes containerization unnecessary, but how does that work?

Intune has options that allow it to connect to Office 365 and Exchange On-Premises and monitor connection requests from devices.  When a request is received, in the past the system would verify the username and password and then would allow access.  Now with conditional access, the system checks to confirm that all the required conditions have also been met by the device.  These conditions can include checking for a domain joined device or checking for Intune compliance policies such as verifying device OS version, restricting jailbroken devices, or requiring a device password.  If Intune does not respond that all of the conditions are met, then access will not be provided for the request.  Regardless of whether a user is trying to connect via Outlook Web Access, via their native phone app and ActiveSync, or with an Outlook client if they are not compliant, conditional access can block their access.

Conditional access is also an ongoing set of checks and balances for your devices.  Even if a device was once compliant, if something changes and the device no longer meets policies, then connectivity will be immediately blocked until the problem is resolved.  The end user and an admin will receive a notice of the problem which enables users to resolve many errors on their own devices without admin intervention.  Once the problem is resolved, access is immediately restored.

So far, for Intune, we have been focusing on mobile device management and support, but Intune is not just for mobile devices.  In our next blog, we will be discussing the benefits of using Intune to manage your desktops and laptops as well.