Microsoft Intune Core Skills Jump Start – Module 1: Why Microsoft Intune?

I’ve just done watching introductory module of Microsoft Intune Jump Start entitled “Why Microsoft Intune?” Below you may find almost entire transcript of what was covered in this module (not verbatim, but something relatively close to this).

Microsoft has been building Intune for the last 5 years. It was started off with core idea of PC cloud management without on-prem infrastructure. But after 1st wave focus shifted to MDM. How Intune can be compared with SCCM?

Fundamental difference between SCCM and Intune? SCCM is all about SCCM client which you push to the clients and infrastructure you have to control this client. Intune is mostly talking over protocols to devices that you can put agents on. And this fundamentally changes architecture and infrastructure of those systems.

SCCM has unbelievable amount of infrastructure built into it to solve corporate WAN network topology situations.

Imagine some specific device rarely connecting to the network over satellite link which has to be managed with SCCM client. SCCM tried to solve fundamentally different set of problems: WAN optimization, dealing with the differences between satellite links versus classic ISDN links OR just regular Internet links and this set of problem defined it’s complex infrastructure.

Intune started with different set of problems and different code base, it was not about creating huge SQL servers with loads of processing power and highest network bandwidth but about really creating a system which can scale out inernet-scale built on top of Azure.

Building on top of Azure means also ability to integrate with other parts of Azure. Intune uses Azure AD For example. One of largest misconceptions about Intune is when people say that Intune is just another MDM solution like . But Intune it is part of all up Microsoft Enerprise Mobility Suite which incorporates identity, device management and productivity and the productivity services that come with O365.

And all those components are necessary to land mobility into enerprise.

Intune was build not so much to manage mobile devices but to enable secure access to resources. So Intune is not just another MDM that’s about setting policy on devices, it’s about enabling corporate users access to corporate information while keeping corporate information protected.

One of Intune investments specifically connected to Azure AD is conditional access control which strongly leverages the identity component of Azure AD. So Intune’s key differentiator is conditional access as the way it is being delivered as a solution with Office. This does require an identity stack, a device management stack, the productivity applications and the productivity services to all work together.

Corporate environment not so long was about perimeter and granting access to devices outside the perimeter to your corporate intranet and resources behind the perimeter. Now it’s all shift to the state where there is no perimeter – O365 and data and applications are on Internet-facing services and your devices are Internet-facing devices.  More and more companies moving away from intranet-style networks to more open Inernet style networks. So in case there is no perimeter, how you are going to protect your data and devices?

The work Microsoft has done across the whole EMS and ECM suites is really about protecting data and enabling mobility in this world without perimeters. Lots of people are fixed on the old approach of just taking a VPN and providing a VPN to a particular app on a device the very best way of doing that. But we can think about this from the resource prospective and controlling access to it wherever it is. Because of this we can see strange situations where companies have a cloud service, but in order to access cloud service you’ve then got to VPN back into something on-prem so that it can run through the on-prem proxy server in order to then go and access something. People doing this to make it secure. Experienced IT pros well understand the business requirement to keep the corporate data protected and the mechanisms they use with VPNs or reverse proxies or putting the ADFS server behind the firewall. Those have been historically the only way to protect that data. With Intune MSFT tries to say that there s potentially a better way to do that where you still have internet connected devices and Internet facing services and you can garantee that only devices that are well-managed or applications that are well-managed can get access to your corporate resources or services. And that’s fundamentally the business requirement. It’s not the business requirement to have two perimeters and do that crazy VPN thing, the business requirement is to keep the corporate data corporate and to not delete kids pictures arbitrarily. 🙂

This requires new set of core skills and presents new opportunities for cost savings. Historically to deal with BYOD companies just sort of extending their perimeters, but with Intune you probably can find a better way for “cloud first, mobile first” world which leads to simplicity and lower cost.

Intune is heavily integrated with O365 and recently MSFT announced ability to do MDM directly through O365. If we look at the number of mobile devices under management today we can see that the single most popular MDM tool is Exchange ActiveSync. And with it we see the following base capabilities in secure deployments: deploying device-level PIN, enforcing encryption, doing e-mail account configuration. This is core set of features most customers really need. The question is what’s the step above Exchange ActiveSync? And MSFT Office team said that they want to extend the capabilities of Exchange ActiveSync with couple of scenarios in mind. To extend the EAS ABQ, the Allow/Block/Quarantine system, so that you can only deliver e-mail on a device that’s well-managed. Because that’s one of the real limitations of ABQ today, you open it up for a given mailbox, whereas enchanced control may be necessary – that was an early view of what conditional access was going to be. The other limitation/missing feature was ability to detect if a device was jailbroken. Doing that across iOS and Android devices and Windows Phone devices was going to require them, the O365 team, to do an investment in MDM in the same way than Intune team done already. So idea was to try and and take existing UX and the existing systems that exist with Exchange ActiveSync today and extend them with native device management, give incrementally more control to the admin without turning them all into device admins. In effect with the MDM for O365 it’s really targeted towards the administrator who’s administering Office and wants to have some control over the devices they managed. It’s not really focused on the people who are the device manager who are conrolling a broad set of services on those devices (seems that this is a focus for other MDM players?). It was a really good way to extend the underplaying capability of Exchange ActiveSync while not turning every single office admin into a device admin.

There are loads of devices which are Exchange ActiveSync managed and it causes you some issues. You can’t do a selective wipe on that type of device if it’s only managed by Exchange ActiveSync. What devices do we actually manage through Microsoft Intune, what do we capable of managing? iOS, Android, and there is a variant of agent that specifically authored for Samsung KNOX standard platform so we can do some additional configuration on that, Windows Phone, Windows RT & Windows x86 devices with in-built MDM support or with an Intune PC agent which can be deployed on Windows 7 and above. Probably from popular device platforms only BlackBerry devices are missing in this list.

How Intune Intune fits into on-prem, GP management environments? To compare GP to Intune is not doing the right underlying comparison. You could think of GP in Windows compared to what’s called OMA-DM agent in Windows or what the core MDM properties that are exposed in iOS because those are the core set of properties that can be managed on the device. And if you look at Windows specifically and say what’s the comparison between what you can manage with the Windows 8.1 system with the in-built MDM system versus managing that Windows 8.1 system that matte domain joined or is getting GP commands or is using a full SCCM agent on the device. Typically it starts from the beginning of the workflow or the life cycle of that device. If you are expecting that on Windows that you have a base image that you are deploying on those devices, likely Intune is not the right option for you. If you want to reimage devices and if that’s something that you find yourself doing quite frequently and if for example you have a broad set of very complex Win32 software that has a lot of dependencies that you need the full application model and SCCM to manage, Intune is likely not the right place to go or it’s not best to use Intune to manage those PCs. It’s better to use SCCM to manage those PCs. The other big qualification is if you look at Group Policy – there is about 20 000 policies that are accessible in the system, and just for IE there is more than 5000 GPO settings and those settings are not all obviously exposed through the in-built MDM agent in Windows for better or for worse. MSFT is trying to reduce some of the complexity around managing those endpoints. So if your workflow starts with imaging likely in SCCM, if you looking for really granular GPO control to have tight lockdown or if you want your user to work without admin rights than you want me control on that device than maybe in-built MDM system would give you, there are some cases where you can use standard user with MDM , but that’s an interesting trigger point to look at. Then just the massive software that you would deploy. If it’s really simple software or you are deploying universal apps that’s reasonable. If you have software that has heavy dependencies, heavy co-dependencies, you will likely need a more complex app model that you get with SCCM.

App models are entirely different on mobile devices and this is the area of heavy investments in Intune. When you add mobile applications to a managed device, say iOS, do they get containerization, does that actually kick in? Yes.

We can think about containerization using metaphor of concentric circles. The first level for iOS at the core of these circles is the store-delivered application, which gives you quite a degree of data protection. Though this is mixed blessing. iOS doesn’t have a file system in the same way that Windows has a file system so that application is restricted to writing to selected shared folders plus the data storage that’s associated specifically with that application. In effect that application by default is in a pseudo container. The level above that is when that application is actually delivered over an MDM channel form Intune or from any other MDM. There you get some additional controls because IT can both push the application to the device and remove it with its associated data from the device. But you still have the problem that data can often be saved from that application and put onto the local device. It isn’t necessarily encrypted, it’s encrypted if there is encryption under PIN setup on the device but there is no specific app level encryption. The third ring outside of that is when you have an application that’s been enlightened with Intune SDK, which actually understands those application management policies. There you can set additional policies to limit whether application can save data locally, can save to other services or to restrict clipboard operations so that you can’t easily move data between corporate and personal apps. So basic capabilities provided by an OS, then more capabilities when application is delivered over MDM and yet more capabilities when the application is Intune SDK aware or uses some similar SDK to do an application management.

On iOS and Android there is so called managed browser and for Intune SDK aware applications you can indicate whether links from that application that would otherwise start a browser, whether they open up only in the managed browser. That managed browser is a special type of application that actually is enlightened with Intune SDK where those same corporate data policies can be applied to it.


Module 1 Questions

Leave a Reply

Your email address will not be published. Required fields are marked *