GitBit
BlogFirst lesson
Sign Up

Introduction to Intune

So far, we have looked at securing Microsoft 365, Microsoft servers, and third-party devices like firewalls, but we haven't looked at how to secure Windows 10, Android, Apple iOS, and Macs. Securing client devices is exactly where Microsoft Intune comes into play. If you haven't used SCCM, don't worry; I'll explain Microsoft Intune and most of its components throughout the next lessons. 

Endpoint Manager admin center

So far, we have looked at securing Microsoft 365, Microsoft servers, and third-party devices like firewalls but we haven't looked at how to secure Windows 10, Android, Apple iOS, and Macs. Securing client devices is exactly where Microsoft Intune comes into play.

Let's review the parts of my Microsoft Intune to explain what it can do.

What licenses make Microsoft Intune available?

Intune is included in the following licenses:

  • Microsoft 365 E3 and Microsoft 365 E5.
  • Enterprise Mobility + Security E3 and Enterprise Mobility + Security E5.
  • Microsoft 365 Business Premium.
  • Microsoft 365 F1 and Microsoft 365 F3.
  • Microsoft 365 Government G3 and Microsoft 365 Government G5.
  • Intune for Education.
  • Microsoft 365 Education A3 and Microsoft 365 Education A5. 

How do you connect to the Intune admin center?

Before we dive into what Intune can do, let's connect to the back-end admin center. Microsoft calls the admin center Microsoft Endpoint Manager admin center. You can access the Microsoft Endpoint Manager admin center by going to your Microsoft 365 admin center > admin centers > Endpoint Manager

How to open the Endpoint Manager admin center

Inventory

First, Microsoft Intune will hold all of your client devices providing an inventory to help you manage all of the devices. It will gather a ton of information about the device but don’t worry, it won’t gather user information that the organization doesn’t need. Once the devices are in Microsoft Intune you can do a lot of cool things with them. And don't worry, Microsoft Intune keeps your devices in Azure Active Directory so you can configure conditional access policies around your devices.

How to view all the devices in Intune

To view all the devices in Intune go to Microsoft Endpoint Manager admin center > Devices > All devices.

How to setup clean-up rules

Since users are always leaving your organization and replacing devices the Intune inventory will get stale pretty quickly. Microsoft Intune can automatically remove devices for you. Let's configure Intune to automatically remove devices that haven't checked in for 60 days.

1. Go to Microsoft Endpoint Manager admin center > Devices > Device clean-up rules.

2. Click Delete devices based on last check-in date to Yes.

3. Set Delete devices that haven't checked in for this many days to 60.

4. Click Save.

Intune automatically clean-up stale devices

Configuration profiles

Microsoft Intune configuration profile

For example, you can deploy configuration profiles that will configure the devices for you. For example, you can configure encryption to be deployed to all your Windows 10 devices. The encryption can happen silently behind the scenes, so your users don’t even know it’s happening.

Sometimes, configuration profiles require the users to configure the devices. For example, requiring a passcode on all Android devices. Since Intune doesn’t know what the user will want the passcode to be, Intune will prompt the user to configure the passcode.

Compliance policies

Microsoft Intune compliance policy

Compliant policies are a way to verify a device is configured properly. They can work in conjunction with configuration profiles. Let's take an example.

Let's say you have a configuration profile that requires a user to set up a password on their Android device. How do you know the user has set up the password and hasn't simply skipped and ignored the messages? Furthermore, how do you block a device from getting corporate data while it does not have a password protecting it? This is where compliance policies come into play.

We can configure a compliance policy to verify a user has a password on their device and we can block that device from receiving Microsoft 365 data until the user has configured the password.

App deployment

App deployment

Another notable feature of Microsoft Intune is the ability to deploy and configure apps. For example, you may want all devices to be using Microsoft Outlook. We can deploy Microsoft Outlook to Windows, Mac, Android, and iOS devices and we can configure Outlook to automatically connect to the user's Microsoft 365 mailbox.

Push updates

Intune Update rings

Last but not least is the ability to push updates to some devices. I say some devices because Google and Apple block you from pushing updates to some of their devices. We’ll get into those details later. But by using compliance policies we can force users to update their devices if they want access to Microsoft 365 data.

Forget deploying images. Use Windows Autopilot

Autopilot

Finally, Microsoft Intune has something new called Autopilot. With Windows Autopilot, you no longer need to reimage a Windows 10 or Windows 11 computer or manually set up new devices. Your hardware vendor can ship them already connected to Intune straight to your employees. Or you can configure a device using Autopilot and automate the deployment of the device yourself.

There are three major advantages to using Windows Autopilot:

1. Device registration: Windows Autopilot will automatically add the new device to Microsoft Intune, Microsoft 365, and join your domain for you.

2. Profile creation and assignment: With the device automatically being joined to Microsoft Intune you can automatically deploy configuration profiles and apps to your devices.

3. Shipping: Your vendor can ship devices directly to your users. Then your users can turn the device on, connect to the internet, and Windows Autopilot will automatically deliver apps and settings.

Setting device join limits

Finally, there's one more option I'm unsure what lesson to put it under, so it's going here. How to set a limit on the number of devices a user can enroll into Intune or Azure AD.

There are two places to limit the number of devices a user can enroll: Intune and Azure AD.

How to restrict the number of devices a user can enroll in Intune

Setting this option will limit the number of devices a user can enroll in Intune. This setting won't affect how many devices a user can have in Azure AD.

1. Go to Microsoft Endpoint Manager admin center > Devices > Enroll devices > Enrollment device limit restrictions > All Users.

Limit the number of devices a user can enroll in Intune

2. Click Properties > Edit. Set the number of devices you want a user to be able to enroll. Click Review + save. Click Save.

Limit enrollments in Intune

How to limit the number of devices a user can have in Azure AD

This setting will limit how many devices a user can have in Azure AD. Since Intune creates the devices in Azure AD this setting will affect Azure AD and Intune.

1. Go to Azure Active Directory admin center > Azure Active Directory > Devices.

Azure AD Devices

2. Click Device settings. Set the Maximum number of devices per user. Click Save.

Set Azure AD Device limits

PreviousNext