Stolen password graphic

Microsoft Intune – Your Questions Answered

Microsoft Intune (also known as Microsoft Endpoint Manager) is a Microsoft Azure-connected platform that grants many extremely useful features to machines which are connected to Azure Active Directory. Please see our blog post Azure Active Directory – Your Questions Answered for more details on Azure Active Directory.

What is Intune and What Are Its Benefits?

Microsoft Intune is a part of Microsoft 365 (formerly Office 365) which focuses on both MDM (Mobile Device Management) and MAM (Mobile Application Management). It was previously available as an on-premises product but now exists in the cloud as part of Microsoft Azure. MDM and MAM are also not limited to mobile devices; they can also be used on any desktops or laptops connected to Azure.

There are several benefits to using Intune, here are just some of the ones that our clients have found the most useful:

  • Corporate computers, including Windows, Android, and iOS, can all be fully wiped remotely using the Intune portal, deleting all their applications and data.
  • Employees’ personal computers, including Windows, Android, and iOS, can also have corporate data wiped from them remotely through the Intune portal.
  • You can prevent SharePoint and OneDrive data from leaving your corporate environment by using Application Protection Policies.
  • Sensitive data can be locked to corporate applications using the same Application Protection Policies, which prohibits the data from being copied and pasted to non-corporate applications.
  • To shield confidential data from being seen by people outside the business, policies can be added that require pin numbers before accessing specified applications.
  • During the OOBE (Out of Box Experience) screen, autopilot procedures can be created to automatically self-install programmes, data, and policies to machines on your network.
  • Packages can be used to remotely deploy software. A new software package, for example, can be distributed to multiple machines in far less time than it would take to install it on each machine manually.
  • Microsoft Office 365 can receive an asset list from all Azure Intune joined computers, which can be a useful and time-saving method for keeping accurate insurance records.
  • Devices automatically report their compliance status, such as their version of Windows 10, latest security updates, and so on.
  • Policies can be used to monitor when new Windows features are deployed to specific devices on the network. These devices can also be divided into specified classes.
  • Device’s local drives can be automatically encrypted, using BitLocker. The decryption keys held in are then stored securely within Intune for safekeeping.
  • Windows settings can be controlled remotely, either on an individual machine or on a whole group of machines.

Using Azure, MDM and MAM policies within a Bring Your Own Device Environment

When referring to a corporate device, we normally mean one which is connected to Microsoft Azure. If it is a mobile, it would be one with an MDM policy active on it with full root directory access so that the device can be wiped remotely.

If you were operating a Bring Your Own Device (BYOD) environment within your organization, then you would use a MAM policy so that sensitive corporate data can be remotely removed from an employee’s device without having access to that employee’s personal (non-work) data on the device.

A separate section of the system is partitioned as “Work” when using an MAM policy, and depending on the configuration, the employee may reinstall the same applications that they use personally within this partition, but these versions are governed by the MAM policy and programme, which can wipe corporate data. For example, if an employee uses Outlook for personal email, Outlook will need to be reinstalled on the phone’s “work” section in order to view their work email. This configuration keeps your corporate data safe while also giving your employees peace of mind that their personal communications, images, and data are not accessible by their workplace.

How Is Sensitive Data Accessed and Controlled by Intune?

On a machine with an active Intune policy assigned to it, the “Company Portal” programme must be active. Until Company Portal is installed, there is no way to access the application’s data. After downloading the Company Portal software, you can connect to Microsoft Office 365 files. The Company Portal can remove corporate apps and data from a computer.

My Staff Members Worry About Their Boss Having Access To Their Private Data

When you launch the Company Portal programme, you will see a disclaimer that explains what Intune can and can’t access. Since the data is partitioned, Intune can only view and read corporate data and applications and cannot access other data on the device.

Need Help Setting Up Intune?

Intune is a great utility to add to your IT system, allowing for more granular data management across multiple devices remotely. This functionality is vital for modern businesses and is a prerequisite of many cybersecurity insurance policies.

Please contact us if you have any questions or would like assistance with the protection of your Microsoft Office 365 applications and data,

Author: Jeremy Huson

Jeremy Huson is the founder and director of Carden IT Services LLC. He has nearly two decades of experience managing businesses’ IT networks and his areas of expertise are IT consultation and cybersecurity.