Microsoft 365 is bringing the best of Microsoft together. One ofthe key things Satya Nadella did when he took over was to put customers front and center. Microsoft has invested in partner and customer programs to help accelerate the adoption of Intune.
There are three versions of Intune:
- Intune for Enterprises
- Intune for Education
- Intune for SMBs (In Public Preview)
One of the biggest innovations Microsoft completed was moving Intune to Azure. There is a new portal for Intune available within Azure that provides an overview of Device compliance.
To setup Intune the first thing you do is define a device profile. Microsoft supports a range of platforms from such as Android, iOS, mac and windows. Once you have a device profile there are dozens of configurations you can apply.
Once you define the profile you assign it to Azure AD Groups. You can either include or exclude users. So you can create a baseline for all users and exclude your executive group to provide them an elevated set of features.
As it lives in the Azure Portal you can click on Azure Active Directory and see the same set of policies. Within the policy you can set access controls that are conditional. For example “you get corporate email only if you are compliant and patched”. Intune checks the state of the device and compliance and then grants access. The compliance overview portal is available in Intune from within Azure.
Microsoft has dramatically simplified the ability to add apps. From within Intune’s portal. You can access and browse the iOS AppStore to add applications within the interface. In addition to granting access to Apps you can apply App protection policies. For example you can enforce that the user is leveraging a minimum app version. You can block or warn if the user is in violation of this policy.
The demo shows an enrolled iPad attempting to use a down-level version of word that displays a warning when the user launches it. You can provide conditional access which allows a grace period for remediating certain types of non compliant states.
Many top 500 companies leverage Jamf today (https://www.jamf.com) for Apple management. Jamf is the standard for Apple mobile device management. Whether you're a small business, school or growing enterprise environment, Jamf can meet you where you're at and help you scale.
Intune can now be used in conjunction with Jamf. With this partnership you can use both Jamf and Intune together. Mac’s enroll in Jamf Pro. Jamf is able to send the macOS device inventory to Intune to determine compliance. If Intune determines it is compliant the access is allowed. If they are not, Intune and Jamf present some options to the user to enable them to resolve issues and check compliance.
Some other features that have been built into conditional access is to restrict access to services based on the location of the user. Microsoft has also enhanced Mobile Threat Protection and extended Geo fencing (In tech preview).
For Geo fencing you define known Geo locations. If the user roams outside of those locations the password gets locked. Similarly for Mobile Threat Protection, you define trusted locations and create rules to determine what happens if access is requested from a trusted on non-trusted location.