Special features of Microsoft Intune
Many of today’s businesses are interested in learning more about Microsoft Intune – some due to rising cost pressure, others in order to move more solutions to the cloud, bundle multiple technologies with one manufacturer or better utilize their licenses.
However, there is a lot for companies to consider when switching to Microsoft Intune. Our interview with Roman Usiatycki and Robert Hamel covers the special features of Microsoft Intune that businesses must consider and what compromises they may also need to make when transitioning.
Robert, can you explain first why so many businesses are interested in Microsoft Intune right now?
Cost pressure is certainly a key issue for many of them. Businesses need to determine whether and where they can save money. Consequently, many of them are asking if they should buy additional licenses for a different UEM system on top of the M365 licenses and the Intune license they already have. However, it’s important to take a closer look at what their existing licenses actually include in detail.
Then there are other companies that want to use a single UEM system for all of their devices. They want to manage their smartphones and tablets along with their Windows and macOS devices but are currently using different systems to do this. They need to determine the depth at which they can achieve all these objectives with Microsoft Intune. In general, though, there are several things in the Microsoft world that support these objectives. It allows you to control who can access what via which means. And Microsoft did a relatively good job of implementing this – not least because it can also be integrated with many other systems. For example, you can ensure that a UEM client is used as a condition for device compliance. This can be incorporated into the set of rules for conditional access.
In addition, more and more companies are pursuing a cloud strategy, which is prompting them to consider switching to Microsoft Intune. They want to move as many of the solutions from their own infrastructure as possible to the cloud. Reasons for this include cutting costs, relieving the burden on their IT department and taking advantage of the many other benefits of external hosting.
Very often it is a combination of these reasons. However, we also have customers who cannot use the cloud right now due to legal regulations. These companies need an on-premise strategy – or they need to decide if a hybrid variant might make sense for them. Because it’s also possible to retain some solutions in house and move other solutions to the cloud if statutory provisions permit. These considerations can lead to two different UEM systems – depending on a company’s overall requirements.
You mentioned that businesses need to take a closer look at their licenses. Why is that?
Many companies already have Intune licenses included in their existing Microsoft plan. But a closer look is warranted. Microsoft doesn’t always make things easy when it comes to licensing. There are many different suites: e.g. the Office Suite or the Windows Enterprise Suite. For device management, it’s important to have an Intune plan that includes the Enterprise Mobility + Security Suite. But the suite alone isn’t always enough. It also depends on which bundle a company uses. There are different versions – from E1 to E3 to E5.
Businesses that use the Microsoft 365 Suite are in the best position, as it includes all suites. But here as well, the version plays a key role. This means that enterprises need to determine in detail whether the Microsoft plan they use today also includes all of the functions they want to map in their current legacy world.
There are also premium licenses that don’t make things any easier. Some exciting features were recently added that can be purchased as individual add-ons or as a complete package.
One example is the “Advanced Endpoint Analytics” feature for extended device monitoring or the “Endpoint Privilege Management” feature. The “Microsoft Tunnel” is available for mobile application management – that is the ability to control access to enterprise apps and resources via conditional access in the MAM environment and to enable Single Sign-On. There is also a “Remote Help Function” available that relieves the burden on the Help Desk. For support cases, the support team can work directly with impacted users to determine an existing issue and how to resolve it. This greatly simplifies the process.
To sum up, enterprises need to determine which licenses their current plans actually include and which additional licenses may be necessary. So, in general: Can businesses seamlessly transfer all of the features from their legacy world to the Microsoft world?
Well, again, it pays to take a closer look. Microsoft does offer businesses an environment for all of their devices in general. iOS, iPadOS, Android, Windows and macOS devices can be managed relatively well on a single platform – with a good overview of all of the devices.
However, to answer your question, it’s important to determine what you expect from device management now and in the future: If an enterprise primarily provides device configurations for emails, PIM, WiFi, VPN profiles and perhaps individual apps – that is, if it simply transfers the corresponding profiles for the devices to the system and manages them for the users, there is a very fast and effective path for migrating to Microsoft Intune. And it’s possible to successfully connect other systems to Microsoft – a number of them are already well-integrated with Exchange Online.
Companies that still use systems as application servers on premises have the option of using the Microsoft Tunnel to reach and access them.
We should mention that the Tunnel is currently only available for iOS and Android. So, when we talk about managing all devices via a single platform, it’s important to understand that a different VPN solution will need to be implemented for desktop systems.
Exactly. It’s not possible at the moment but it might be in the future. After all, Microsoft is constantly adding new features that are offered as previews at first. There are some exciting features expected for iOS and macOS in particular this year, and many are already available for preview. One extremely interesting aspect relates to software distribution on macOS. Right now, it looks as if we’ll be able to do more than simply distribute packages in the future.
Enterprises that want to manage Windows devices in the modern environment will find a number of features native to Microsoft Intune that are easy to connect. For example, Autopilot – which automatically enrolls Windows devices – is very easy to integrate
In other words, Microsoft offers plenty of options. Are there also some things that are not so easily implemented or areas where businesses will need to make compromises?
There certainly are. Enterprises are dependent on Microsoft’s update cycles, for instance. This means they won’t be able to receive an update at a specific time like they are accustomed to with on-premise solutions. Moreover, they must rely on the new features working right away. If this is not the case or if there is a delay with a feature a company is interested in, then the IT team will need to adjust their plans. However, as we mentioned before, software distribution should see further improvements, especially for macOS.
Individual processes can also be different with Microsoft Intune – and they may occasionally be a bit more complicated. This is because a number of functions are interrelated – like during the initial set-up. In certain circumstances, the Authenticator may need to be configured on the devices first so that users can authenticate themselves and everything else will work as expected. Having detailed documentation can be a real lifesaver in cases like this. It’s essential for colleagues who configure the devices to know when one step might take a little longer or when they need to follow steps in a certain order, like knowing where to sign on first.
Furthermore, many enterprises are used to having certain configurations appear immediately after they are set up. For example, AwaitDeviceConfiguration is a very interesting topic on iOS that can already be previewed and will likely be released soon for macOS. It makes it possible to install certain applications on a device during the set-up process so that users don’t need to wait for specific apps to be installed following configuration. They can use their device right away.
Our customers have also already discovered that certain things may not work as quickly as they did before or that specific features may not be available yet. You can request features but obviously that takes a while, and businesses have to adapt to this.
Another thing that should be mentioned here is the subject of troubleshooting. Naturally, when errors occur you can export error codes and search for entries on them. Many error codes also feature very good descriptions. With others, things may be a bit more difficult. Often you may need help from an external source – like the EBF team, for example. 😉
A thing we obviously can’t do is extract log files from the cloud environment. However, we can download logs from the devices. These logs help us get a clearer picture of the error. And even if the error isn’t documented, we usually know what to do thanks to our wealth of experience. After all, most problems tend to recur, which is why we can usually lend a hand.
Many thanks for your insights! So, in a nutshell: What tip would you offer to enterprises that are interested in Microsoft right now?
Enterprises should always do detailed research on the pros and cons of any system. What advantages will it bring, what clear disadvantages, what are some areas where they might need to find a workaround? Under certain circumstances, a hybrid solution can be a viable option. Of course, many businesses are interested in saving money.
I think it’s critical for companies to determine what they expect from device management now and in the future. If I only need to provide configurations and apps and perhaps a policy or two, then migrating should be relatively easy. However, if I have a number of systems to connect and possibly even very special usage scenarios, then I need to plan effectively and look at how and, if necessary, with what compromises I can implement this.
For all those interested in Microsoft Intune, we will be running an exclusive on-site event in Cologne in September 2023. In various sessions, our experts will provide important insights and interesting facts about the switch to Intune, the operation of the solution and show which solutions can be used to complement Microsoft Intune.
Be among the first to receive the invitation to the event by subscribing to our newsletter now.