Chapter 14

Introducing Microsoft Intune

IN THIS CHAPTER

Bullet Exploring Microsoft Intune capabilities

Bullet Inspecting mobile device management policies

Bullet Knowing the use cases for mobile app management

In my household, I manage four laptops and one desktop running Windows 10, a MacBook Pro, an iMac, two iPhones, one Android smartphone, an iPad, and an Android tablet. And that’s not all. We have smart TVs, gaming devices, routers, smart watches, and IoT devices. Did I mention my husband and I are recent empty nesters?

Imagine what it would be like for an IT admin who has to manage desktops, laptops, tablets, and mobile devices for an entire organization, deal with users who have diverse needs and technical abilities, and to add more pressure, be the gatekeeper for the company’s data security and privacy. How do you balance pleasing your end users and making sure you don’t get in the way of their productivity while ensuring that the right controls are in place to minimize risk?

In today’s security landscape, companies of all sizes need a mobile device management (MDM) and mobile application management (MAM) strategy. Without such a strategy, you could end up with an employee calling you from the airport and freaking out because he has lost his phone, where he has saved confidential, personally identifiable information (PII) from one of your customers. You, as the IT admin, are sitting in your cubicle sweating, trying to figure how to get out of this mess smelling like a rose. Hint: You may not.

In this chapter, I introduce you to Microsoft Intune, a cloud-based mobile device and mobile application management solution designed to help your users stay productive while keeping your company data protected. Don’t be dissuaded if you’ve heard that Intune is applicable only in the enterprise environment. Intune very much applies to small business — and even a high-tech household like mine!

Getting to Know Intune

As a cloud service, Microsoft 365 Business is an ever-evolving solution. Don’t be surprised if you’re looking at Microsoft 365 Business Admin Center one day and realize that new features have been added to your service while the cost of your service has stayed the same. That is the nature of a software-as-a-service (SaaS) model and the reason why small businesses benefit from this type of solution.

Similarly, the features and functionalities of Intune that are available in the Microsoft 365 Business license are also evolving. While the current list of Intune device and application management features included in the license is robust, expect to see more features added or enhanced based on industry requirements and feedback from customers like you. You can view the latest list of features for the service at https://docs.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-business-service-description.

Better together with Intune and AAD

Intune and Azure Active Directory (AAD) are perfect together, like peanut butter and jelly in a sandwich. Intune uses the identity and access control features in AAD to effectively carry out its purpose, Without AAD, Intune would be a bit lost.

At a high level, the Intune/AAD combo in Microsoft 365 Business offers three key features that can help an IT admin run a tight operation:

  • Managing mobile devices: Whether it’s a company-supplied device or a bring your own device (BYOD) approach, keep control of company data in mobile devices used by employees on different platforms.
  • Managing mobile applications: Whether a mobile device is managed by a company or not, Intune enables the management of apps running on devices used to access company information.
  • Protecting company data: Imagine the effect on your company’s reputation if a disgruntled employee were to cut and paste an embarrassing detail about your organization and circulate it via email or Twitter. With app protection policies in Intune, you won’t have to imagine digging yourself out of such a nightmare.

These features are included in the pricing for the Microsoft 365 Business license currently starting at $20/user/month. They can be implemented in both company-owned mobile devices and an employee-owned device (bring your own device, or BYOD).

Although these Intune features are typically enough to meet the needs of a small business, it’s helpful to understand that they do not represent the complete capabilities in the full version of Intune, which can be purchased as a stand-alone service for as low as $6 per user per month all the way up to $14.50 per user per month as part of the Enterprise Mobility + Security suite.

Remember There are many third-party mobile device and mobile application management solutions on the market, but I’ve found some to be overkill for small business needs and too expensive. With Microsoft 365 Business, you get more bang for your buck, especially if you’re just starting to implement device management and security policies for your organization.

Toggle switch revelations

Confession time. Without knowing it, you’ve been fed the Intune/AAD sandwich earlier in this book. In Chapter 5, I walk you through the Setup wizard for protecting work files on mobile devices. Although the process required only a few clicks on some toggle switches, you were creating complex policies in Intune worthy of a seasoned systems engineer!

Let’s get a refresher on what you did in Chapter 5 when you followed the steps for protecting working files on mobile devices. In the following, you review the policies created during this process:

  1. Navigate to https://admin.microsoft.com and log in with your global admin credentials.

  2. On the left menu, under the Devices group, click Policies.

    A list of policies is displayed in the Device Policies page, as shown in Figure 14-1.

  3. Select the Application Policy for iOS row, and note the settings for this policy displayed in the Edit Policy window on the right, as shown in Figure 14-2.
  4. Click the Close button to close the window and return to the Devices Policies page.
Screenshot of the Microsoft 365 admin center displaying a list of device policies that need to be created during the setup wizard.

FIGURE 14-1: Device policies created during the Setup wizard.

Screenshot of the home page of the Microsoft window displaying the list of device policies that have been created during the setup wizard.

FIGURE 14-2: Device policies created during the Setup wizard.

Now that you’ve seen what the policies look like in Microsoft 365 Admin Center, let’s see what they look like in Intune:

  1. Navigate to https://portal.azure.com.

    If you’ve already signed in to Microsoft 365 Admin Center, you should be automatically signed in to Azure. If not, enter your Microsoft 365 global admin credentials.

  2. In the Search box at the top, type Intune, and then click Intune in the list that appears, as shown in Figure 14-3.

    The Microsoft Intune page appears.

  3. On the left menu, click Client Apps.

    The Client Apps blade is displayed.

  4. In the Client Apps blade, under the Manage group, click App Protection Policies.

    The same application protection policies found in Microsoft 365 Admin Center Device Policies page are displayed, as shown in Figure 14-4.

  5. Click the Application Policy for iOS row.

    The Intune App Protection blade is displayed.

  6. On the left menu, click Properties.

    The Properties blade appears with three settings.

  7. Click the Access Requirements Configure Settings row.

    The Access Requirements blade is displayed, as shown in Figure 14-5.

Screenshot of a search box for searching an Intune from the resource groups with the Microsoft Intune page displayed.

FIGURE 14-3: Searching for Intune.

Screenshot of the Client Apps - App Protection Policies blade displaying the list of application policies in Intune.

FIGURE 14-4: Application policies in Intune.

Screenshot of the File explorer home page displaying the Access Requirements settings for the application policy for iOS.

FIGURE 14-5: Access Requirements settings for application policy for iOS.

As you can see, the toggle switch you clicked during the Setup wizard controls several settings in Intune! When you’ve finished reviewing the magic you unknowingly created, click the Microsoft Intune link in the top breadcrumb navigation (see the top row in Figure 14-5) to go back to the Intune Overview page.

Choosing Between MDM and MAM

We’re all about choices. Especially in today’s workplace, where younger generations have access to devices that are much more feature-rich and nicer than company-supplied devices, you as an IT admin need to balance end user productivity and security. If you provide your users with a completely secure phone (some call it a “brick”) with all kinds of restrictions, people are not going to like it and may not use it. If you let people use their own mobile devices, you run the risk of exposing your company to security breaches.

Fortunately, a happy medium exists. With Intune, you can implement just a mobile device management (MDM) or a mobile application management (MAM) strategy or a combination. You’ll find that with the capabilities in your Microsoft 365 Business subscription, you can delight your end users without giving up your responsibility to secure company data.

Making the case for MDM

Unbeknownst to you, in addition to the complex policies configured during the Setup wizard in Chapter 5, you also created a robust Windows 10 device management policy with a few clicks to secure your Windows 10 device. If you’re curious to see what it is, follow these steps:

  1. Log in to Microsoft 365 Admin Center at http://admin.microsoft.com.

    You need your Microsoft 365 Global Admin credentials.

  2. On the left menu, under the Devices group, click Policies.

    A list of policies is displayed in the Device Policies page (refer to Figure 14-1).

  3. In the Policies page, click the Device Policy for Windows 10 row.

    The Edit Policy window is displayed on the right.

  4. Click Edit next to the line that reads Windows 10 Device Protection, Some Settings are ON.

    The Change Setting window is displayed.

  5. Click the drop-down arrow to the left of Secure Windows 10 Devices to display the toggle switches for this policy, as shown in Figure 14-6.
  6. Review the settings.
  7. Click the Cancel button, and in the next window, click Close.
Screenshot of the Change Setting window displaying the Secure Windows 10 Devices policy in the Microsoft 365 Admin Center.

FIGURE 14-6: Secure Windows 10 Devices policy in Microsoft 365 Admin Center.

If you want to see the configuration of this policy in Intune, follow these steps:

  1. Navigate to https://portal.azure.com.

    If you’ve already signed in to Microsoft 365 Admin Center, you should be automatically signed in to Azure. If not, enter your Microsoft 365 global admin credentials.

  2. In the Search box at the top, type Intune and click Intune in the list that appears (refer to Figure 14-3).

    The Microsoft Intune page appears.

  3. On the left menu, click Device Configuration.

    The Device Configuration — Profiles blade is displayed.

  4. Under the Manage group, click Profiles. On the right, click Device Policy for Windows 10.

  5. In the Device Policy for Windows 10 blade, click Properties, and then click Settings 5 Configured.

    The Device Restrictions blade is displayed, as shown in Figure 14-7.

  6. Review the settings.
  7. Click the OK button, and in the next window, click Close.
Screenshot of the Microsoft 365 window providing the list of device restrictions on Windows 10 device settings.

FIGURE 14-7: Device restrictions on Windows 10 device settings.

As you can see from the various configuration options available in Intune, you can manage devices at a granular level. For example, you can manage multiple devices owned by one user. Managing devices starts with the users enrolling their devices in Azure Active Directory (AAD). The process for enrolling mobile devices for management is covered in Chapter 15

After mobile devices are enrolled, you can have control over those devices by remotely wiping corporate data from a device without affecting the user’s personal data. You can also prevent a user from accessing company data from mobile devices that are jailbroken; a device with restrictions removed could create a security hole.

If you purchase additional higher-end Intune licenses, you can also configure Wi-Fi or VPN on the devices, push apps to be automatically installed, and run additional controls to meet certain regulatory requirements.

Choosing MAM

If you have millennials in your organization walking around with their latest gadget and using your company-supplied laptop as a doorstop, that might be a signal for you to implement a mobile application management (MAM) strategy.

MAM is a great way to have a BYOD (bring your own device) strategy. If you choose this option, you’ll make your end users happy because they’ll be allowed to use their own swanky devices. On top of that, you’ll be saving them from a few warning prompts, which may lead to confusion and frustration.

You may also choose MAM over MDM if you have specific requirements to comply with regulations related to management of data on personal devices. Note that in MDM, you can remove all the data from a mobile device, whereas in MAM, you can remove only company data, leaving the user’s personal data untouched.

You can implement MAM by itself or on top of MDM policies. The app protection policies you create can stand on their own and do not have dependencies on any MDM policies. In fact, MAM can even be implemented alongside other third-party MDM solutions.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset