What is Microsoft Intune?
Microsoft Intune is a cloud-based service in the enterprise mobility management (EMM) space that helps enable your workforce to be productive while keeping your corporate data protected. Similar to other Azure services, Microsoft Intune is available in the Azure portal.
With Intune, you can:
- Manage the mobile devices and PCs your workforce uses to access company data.
- Manage the mobile apps your workforce uses.
- Protect your company information by helping to control the way your workforce accesses and shares it.
- Ensure devices and apps are compliant with company security requirements.
Common business problems that Intune helps solve
- Protect your on-premises email and data so that it can be accessed by mobile devices
- Protect your Office 365 mail and data so that it can be safely accessed by mobile devices
- Issue corporate-owned phones to your workforce
- Offer a bring-your-own-device (BYOD) or personal device program to all employees
- Enable your employees to securely access Office 365 from an unmanaged public kiosk
- Issue limited-use shared tablets to your task workers
How does Intune work?
Intune is the component of Microsoft’s Enterprise Mobility + Security (EMS) suite that manages mobile devices and apps. It integrates closely with other EMS components like Azure Active Directory (Azure AD) for identity and access control and Azure Information Protection for data protection. When you use it with Office 365, you can enable your workforce to be productive on all their devices, while keeping your organization’s information protected.
How you use the device and app management features of Intune and EMS data protection depends on the business problem you are trying to solve. For example:
- You’ll make strong use of device management if you’re creating a pool of single-use devices to be shared by shift workers in a retail store.
- You’ll lean on app management and data protection if you allow your workforce to use their personal devices to access corporate data (BYOD).
- If you are issuing corporate phones to information workers, you’ll rely on all of the technologies.
Intune device management explained
Intune device management works by using the protocols or APIs that are available in the mobile operating systems. It includes tasks like:
- Enrolling devices into management so your IT department has an inventory of devices that are accessing corporate services
- Configuring devices to ensure they meet company security and health standards
- Providing certificates and Wi-Fi/VPN profiles to access corporate services
- Reporting on and measuring device compliance to corporate standards
- Removing corporate data from managed devices
Sometimes, people think access control to corporate data is a device management feature. We don’t think of it that way because it isn’t something that the mobile operating system provides. Rather, it’s something the identity provider delivers. In our case, the identity provider is Azure Active Directory (Azure AD), Microsoft’s identity and access management system.
Intune integrates with Azure AD to enable a broad set of access control scenarios. For example, you can require a mobile device to be compliant with corporate standards that you define in Intune before the device can access a corporate service like Exchange. Likewise, you can lock down the corporate service to a specific set of mobile apps. For example, you can lock down Exchange Online to only be accessed by Outlook or Outlook Mobile.
Intune app management explained
When we talk about app management, we are talking about:
- Assigning mobile apps to employees
- Configuring apps with standard settings that are used when the app runs
- Controlling how corporate data is used and shared in mobile apps
- Removing corporate data from mobile apps
- Updating apps
- Reporting on mobile app inventory
- Tracking mobile app usage
We have seen the term mobile app management (MAM) used to mean any one of those things individually or to mean specific combinations. In particular, it’s common for folks to combine the concept of app configuration with the concept of securing corporate data within mobile apps. That’s because some mobile apps expose settings that allow their data security features to be configured.
When we talk about app configuration and Intune, we are referring specifically to technologies like managed app configuration on iOS.
When you use Intune with the other services in EMS, you can provide your organization mobile app security over and above what is provided by the mobile operating system and the mobile apps themselves through app configuration. An app that is managed with EMS has access to a broader set of mobile app and data protection features that includes:
- Single sign-on
- Multi-factor authentication
- App conditional access – allow access if the mobile app contains corporate data
- Isolating corporate data from personal data inside the same app
- App protection policy (PIN, encryption, save-as, clipboard, etc.)
- Corporate data wipe from a mobile app
- Rights management support
Intune app security
Providing app security is a part of app management, and in Intune, when we talk about mobile app security, we mean:
- Keeping personal information isolated from corporate IT awareness
- Restricting the actions users can take with corporate information such as copy, cut/paste, save, and view
- Removing corporate data from mobile apps, also known as selective wipe or corporate wipe
One way Intune provides mobile app security is through its app protection policy feature. App protection policy uses Azure AD identity to isolate corporate data from personal data. Data that is accessed using corporate credentials will be given additional corporate protections.
For example, when a user logs on to their device with their corporate credentials, their corporate identity allows them to access data that is denied to their personal identity. As that corporate data is used, app protection policies control how it is saved and shared. Those same protections are not applied to data that is accessed when the user logs on to their device with their personal identity. In this way, IT has control of corporate data while the end user maintains control and privacy over their personal data.