Intune - Hybrid management of Windows 10 from Azure
Efficient management of the client device pool is a basic guideline for any organization. The IT department must be able to have a centralized point from which to recover an inventory of devices, apply configuration or security policies, as well as remotely delete them if the device is no longer under our control.
On many occasions, we associate Intune with an MDM dedicated to the management of iOS and Android mobile devices. In reality, this conception is a bit far from reality and means a great reduction in Intune's capabilities. Here's why:
- Not just an MDM: Intune is actually an (Enterprise Mobility Management Service). In short, a traditional MDM usually focuses on device management (profile configuration, setting restrictions, inventory mode management, ...), while EMM such as Intune can also manage corporate data on devices and applications installed, so that not only protects the device, but allows us to secure the information they contain.
- Not only for mobile devices: Intune allows us to manage our mobile devices iOS, Android and Windows Phone, but we can also manage the Windows 10 computers of our organization, so we can establish configuration policies, update directives or security baselines.
Our customers often give me reasonable doubts about integrating Intune with their laptops or desktops. In most cases their doubt is whether Intune is compatible with our local Active Directory (AD) environment: the answer is that both tools are compatible and well integrated. For example, we could automatically enroll our computers in Intune by setting up a hybrid Azure Active Directory domain so that our computers will be integrated into both our local and cloud AD. With this hybrid administration we will obtain advantages such as having SSO with Office 365 applications from our local computers, or enabling multi-factor authentication solutions. But not only that, it will allow us to protect access to resources in the cloud in a more detailed way than we could with other solutions.
Not at all. SCCM has been, and continues to be, the company's master computer and server management tool; integrated into the System Center family of products, it incorporates more advanced and extensive functionalities than Intune and its integration over the years with the most demanding and large active directory environments makes it a tool that is difficult to replace. Certainly, SCCM is focused on a medium or large organization size.
In addition, with SCCM we will be able to manage client operating systems prior to Windows 10, as well as server operating system. In any case, SCCM and Intune are integrated in order to take advantage of the best functionalities of the two tools and provide the company with a 360-device management solution.
This time I'm going to introduce you to the administration capabilities of Intune for Windows 10 at the device level. As I mentioned, there are many functionalities that we can access if we turn Intune into our equipment management tool. In another moment we will delve into the intricacies of Azure AD and its integration with our on premise directory.
Intune allows us to establish configurations in the devices that control different values of the equipment. These configurations are defined as profiles and, among others, there are the following ones:
- Of security: they allow to establish behavior of the firewall, Bitlocker or Windows Defender among others.
- Of Windows Hello.
- Administrative templates.
- Device restrictions: it allows configuring values of the general configuration equipment, such as blocking functionalities (access to control panel or to the configuration panel in the case of Windows 10), configuring the start menu or establishing the privacy options of the device.
- From VPN, Wifi, certificates or email. Automatically configure in the devices these items.
- Bandwidth optimization for downloading updates.
- Update Windows edition.
Intune allows us the remote and unattended installation of applications on Windows 10 computers, but not only can we install it, but we can also launch custom configurations that will get the user only have to open the application to start using it, without installations, without configurations...
You will think that this is a functionality that Active Directory GPOs have incorporated on premise for decades, and it is true, but think about the computers that do not connect to our corporate network on a regular basis, and those who do not know when they will get to apply this GPO.
Intune allows us to set update policies for our computers in which we set options such as the channel used to get the updates, the time periods for installation, the allowed deferral, as well as user experience options related to the installation of the updates, such as preventing the user from canceling the patch application or setting a restart deadline.
In the second part of this article we will see other very interesting features of this hybrid device management, such as:
- Windows Autopilot, for the automated deployment of equipment.
- Conditional access.
- Security baselines, to establish the most secure configurations in our clients.