Microsoft MDM: How to manage business mobile devices

Microsoft MDM: an introduction

In the past, companies used configuration management tools to administer and protect data on their devices, as most employees worked on devices provided and owned by the employer. Today's trend is instead moving towards a more hybrid and flexible approach, defined in jargon. BYOD, which means 'Bring Your Own Device'.

In this context, employees have the flexibility to use their personal devices for work, both at home and in the office. However, this practice has made it difficult to protect data on different mobile devices that use various operating systems, and to overcome this problem, Microsoft launched a product called Microsoft Intune.

With Intune, IT administrators can manage laptops, tablets, and smartphones that use the main operating systems, namely Android, iOS/iPadOS, macOS, and Windows.

Intune has evolved in recent years into an all-encompassing, multiplatform product for managing devices and applications, which has incorporated the entire Microsoft mobile device management ecosystem and has become, de facto, the label with which this particular family of services is now referred to.

But how does Microsoft's mobile device management ecosystem work? What are its functions? Let's see it in the next sections.

Microsoft MDM: How mobile device management works

Microsoft offers a suite of solutions and technologies to businesses to remotely manage, access and protect data stored on devices owned by the organization and employees. This practice of managing devices and data is called Mobile Device Management (or MDM).

MDM services allow you to create security policies that govern a device's behavior when accessing sensitive company data. These policies establish how users can access the corporate portal (website or application) and what they can or cannot do after logging in. If an employee wants to use their device in the workplace, they will need to accept these policies.

Here are a few mobile device management use cases:

• Restrict access to Wi-Fi networks. You can request that employees access the company portal only through Wi-Fi networks or VPNs located on the organization's premises. You can also restrict access to the corporate portal through public networks, as they are vulnerable to hacker attacks.
  ‍‍
• Deletion of data. IT administrators can completely wipe a device by restoring it to factory settings or selectively delete business data. This action can be performed remotely in case the device is lost, stolen, or if an employee leaves the company.
  ‍
• Data update. Intune MAM allows the publication of internal and line-of-business business apps in the corporate portal. Once employees sign up for mobile device management, IT administrators can deploy, update, selectively delete, configure, protect, and monitor these applications.
  ‍
• Data protection. In addition to deleting data upon request, Intune provides other tools and methods to protect data.

Microsoft Intune: history, features, and operation

Intune is an MDM service that helps organizations manage and protect their mobile devices. Intune offers a full set of features, including device management, application management, information protection, and more. With Intune, organizations can manage both corporate-owned and personal devices in a single console.

It allows the management of a network of devices through the cloud and the monitoring of user access, while simplifying the management of applications on various devices, including mobile devices, desktop computers, and virtual endpoints.

Microsoft Intune was launched in 2011 as Windows Intune, with the name change to Microsoft Intune announced in 2014. A major development since then has been the move of Microsoft Intune to the Microsoft Azure public cloud. In December 2016, Microsoft released a preliminary version where administrators could log in and manage Microsoft Intune using the Azure portal. In June 2017, Microsoft announced the general availability of Intune management through the Azure portal.

Another name change occurred in 2019 when Microsoft renamed the suite that contains endpoint management. The new suite, which includes products such as Configuration Manager, Intune and Windows Autopilot, has been called Microsoft Endpoint Manager.

In 2022, Microsoft then renamed Microsoft Endpoint Manager back to Microsoft Intune with several new product announcements, including Remote Help, Endpoint Privilege Management, advanced endpoint analysis, and Microsoft Tunnel for MAM.

Over the years (and after various and confusing changes of name), Microsoft Intune has therefore evolved into a multiplatform tool for managing devices and applications. The most important features and capabilities include the following:

• Manage personal and business-owned devices on the most common platforms and provide secure access to corporate data on those devices. Microsoft Intune currently supports the management of Android, iOS and iPadOS, Linux, macOS, Windows, and ChromeOS devices.
  ‍
• Manage the lifecycle of apps on managed devices, including deploying, updating, and removing apps.
  ‍
• Manage apps on mobile devices and securely provide access to business data through those apps.
  ‍
• Enable self-service features, such as resetting your PIN or password, installing apps, and removing devices, through the Company Portal app.
  ‍
• Integration with mobile threat defense services for a real focus on endpoint security.
  ‍
• Provide reporting capabilities that offer insights into your environment. This includes reports with information on policies, profiles, updates, apps, and more.
  ‍

Intune is a component of Microsoft's Enterprise Mobility + Security (EMS) offering, a mobile device and mobile application management (MAM) platform, and is also available in Microsoft 365 E3, E5, F1, F3, EMS E3 and E5 subscriptions, and in Business Premium plans.

The product is designed to integrate with other parts of the EMS suite, including Azure Active Directory (Azure AD) and Microsoft Azure Information Protection. The app protection policies component of Intune uses the Azure AD identity to separate business data from personal data.

In Microsoft's approach to managing mobile devices, Intune primarily uses protocols or APIs available in mobile operating systems to perform tasks such as device enrollment. Registration allows IT staff to keep an inventory of devices that can access business services.

Other tasks include configuring mobile devices, certificates, Wi-Fi and VPN profiles, and compliance reports related to business standards. Intune integrates with Azure AD to provide access control capabilities, offering the tools needed to move toward a zero-trust environment.

Meanwhile, Microsoft's approach to managing applications through Intune covers areas such as assigning mobile apps to the workforce, configuring these apps with standard settings, and removing business data from mobile apps. When used with other services in the EMS suite, Intune allows the organization to provide apps that can access additional security features for mobile apps and data, such as single sign-on (SSO) and multi-factor authentication.

Intune offers organizations the capabilities to manage devices and apps and protect business data, and through integration with Azure AD, Windows Autopilot, Microsoft Defender for Endpoint, Microsoft 365 and Windows Autopatch, it has become a very important part of the zero-trust strategy in a Microsoft cloud environment.

The service can provide the IT department with the necessary functionality to manage registrations, configurations, security, compliance, apps and updates on any supported device, allowing IT administrators to ensure secure access to business data on almost any device.

In addition, thanks to direct integration with conditional access through Azure AD, Intune allows IT administrators to verify if a device complies with company policies and allows access to corporate data and apps only when the device meets compliance requirements.

What was Microsoft Endpoint Manager?

Microsoft Endpoint Manager (now part of the Intune family; more details below) was a platform that integrated Microsoft Intune and Configuration Manager to provide a unified endpoint management solution.

It allows you to manage and protect endpoints, such as laptops, desktops, tablets, smartphones, servers and virtual machines, on different operating systems, such as Windows, iOS, Android, macOS and Linux. In addition, it allows you to distribute and manage applications, policies, updates and compliance on your endpoints, in addition to controlling access and data on corporate and personal devices.

As of October 12, 2022, Microsoft Intune has become the de facto name of the endpoint management family, and the name Microsoft Endpoint Manager will no longer be used. In the future, Microsoft will refer to cloud management such as Microsoft Intune and on-premises management as Microsoft Configuration Manager, with the latter now under the Intune family of products.

Microsoft Intune product family

The Microsoft Intune family of products now includes:

• Microsoft Intune: Microsoft Intune is a cloud-based service that allows businesses to manage devices and applications from a single console. Intune is part of the Microsoft Endpoint Management family and provides management of mobile devices, PCs and applications from the cloud.
  ‍
• ‍Microsoft Configuration Manager: Microsoft Configuration Manager is an on-premises management tool that allows businesses to manage devices and applications from a single console. Configuration Manager offers on-premises management of desktops, laptops, servers, and mobile devices. It can be used simultaneously with Intune for different workloads, offering a gradual migration path to the cloud.
  ‍
• Microsoft Intune Suite: (see next section)
  ‍
• ‍Microsoft Intune Remote Help: Microsoft Intune Remote Help (available at an additional cost of $2 per user/month if you don't buy Intune Suite) is a feature that allows IT administrators to remotely assist users with their devices. This feature is available for both mobile and desktop devices.
  ‍
• ‍Microsoft Tunnel for Mobile Application Management (MAM): Microsoft Tunnel for Mobile Application Management (MAM) is a feature that provides secure access to on-premises applications and resources from mobile devices. This functionality allows businesses to keep their data secure, while still ensuring access to critical applications and resources.
  ‍
• ‍Microsoft Intune Endpoint Privilege Management: Microsoft Intune Endpoint Privilege Management is a feature that allows companies to manage and protect access to sensitive resources and data on their endpoints. This feature gives companies the ability to control access to sensitive data and prevent unauthorized access.

Microsoft Intune Pricing: available options

Intune is offered at a price per user, per month, and organizations can purchase it as a standalone plan or as part of another subscription.

Below are the three individual plans:

1. Microsoft Intune Plan 1. Plan 1 includes basic UEM functionality and is included with Microsoft 365 E3, E5, F1, F3, EMS E3 and E5 subscriptions, and Business Premium plans. In particular, the advanced tools of the Microsoft Intune Suite can be purchased as add-ons for Plan 1.
   ‍
2. ‍Microsoft Intune Piano 2. Plan 2 is an add-on to Plan 1 and offers additional tools, such as Microsoft Intune Tunnel for MAM and endpoint management for specialized devices.
   ‍
3. ‍Microsoft Intune Suite. Intune Suite is the highest-tier plan for Intune as a standalone service. It is an add-on to Plan 1, includes the add-ons to Plan 2, and offers additional tools. Additional tools in the Intune Suite include Remote Help, Endpoint Privilege Management, advanced endpoint analysis, and other tools with advanced functionality.

For more information on the specific prices of the three plans, as always, we refer you to the official Microsoft page (available hither) where you can begin to make a first estimate of the service costs for your organization.

Microsoft MDM vs MAM: different but complementary approaches

Microsoft Intune is both an MDM (Mobile Device Management) and MAM (Mobile Application Management) system, but what does it mean exactly?

The two main approaches that have emerged in the field of mobile management are, precisely, Mobile Device Management (MDM) and Mobile Application Management (MAM). Although both approaches aim to improve the control and security of mobile devices and applications, they address different aspects with different methodologies.

The debate between MDM and MAM provides organizations with valuable options for managing and protecting their mobile devices and applications, and understanding the differences between MDM and MAM is crucial for making informed decisions that are aligned with specific business needs and objectives.

MDM (Mobile Device Management), as we have already seen, allows administrators to manage and control corporate and personal devices. It allows you to register devices, send configuration profiles on devices, and allows administrators to delete devices remotely or restore them to factory settings.

MAM (Mobile Application Management), on the other hand, focuses on application management and allows you to control and monitor business data on users' personal devices or on business devices. You can isolate business data from personal data within devices.

You can use application management policies to prevent users from copying business data from Office apps to their personal applications and to control the distribution of applications on devices. With the help of Mobile Application Management policies, strict application-level security and compliance policies can be enforced.

Depending on your objectives, an MDM tool, a MAM solution, or a combination of both may be ideal for your company, and to choose the right approach, you need to consider the following points:

• Objectives: Mobile device management (MDM) and mobile application management (MAM) solutions achieve very different objectives. MDM is ideal for having complete control over a business device. However, MAM is often preferred in BYOD environments, where only control over business data and software resources on an employee's personal device is needed.
  ‍
• ‍Budget: The company could benefit from both MDM and MAM solutions, especially if it manages a combination of business devices and BYOD. However, this may not be within your budget. Knowing how much you can afford can help you prioritize the most critical solutions for your business.
  ‍
• ‍User feedback: In some cases, users may object to solutions that they perceive as a violation of their privacy. This is more likely if you plan to use an MDM on employee-owned devices, which could be seen as an excess. Some users may also be reluctant to give the IT team the power to erase all data from their phones, including personal data. That said, MDM solutions generally don't allow the IT team to read messages, view photos, or perform other intrusive activities that users fear. Being transparent about the pros and cons of the proposed solution can help you evaluate reactions before making a final decision.

Microsoft MDM vs Intune: a clarification

By searching online, you can still find a lot of outdated information about Microsoft's Mobile Device Management options, including several comparisons between Intune and Microsoft 365 MDM. This may generate some perplexity and doubts in the already quite confusing Intune landscape, between name changes and aggregation of services that were once different and separate.

So let's try to clarify the situation once and for all.

In the past, through 365 subscriptions, Microsoft provided a Mobile Device Manager with extremely basic functions called (very appropriately) Microsoft 365 MDM, which, however, has been deprecated by Microsoft and the software house will no longer support the management of mobile devices through basic MDM integrated into Microsoft 365.

This decision is part of a larger shift toward the use of Microsoft Intune, which offers much more advanced mobile device management capabilities than the MDM integrated into Microsoft 365. The current software house policy is in fact aimed at encouraging customers to migrate to Intune to ensure more secure and functional device management.

Conclusions

In today's digital world, organizations face challenges managing the growing number of devices within their technology ecosystems. Enterprise IT assets have become diverse and complex, moving from traditional desktops and laptops to smartphones, tablets and IoT devices.

This increase in devices has created a pressing need for robust, flexible, and comprehensive device management solutions. Effective device management is critical for organizations to maintain security, productivity, and compliance across their technology infrastructure.

As the device management landscape continues to evolve, organizations must carefully evaluate their specific needs and choose a solution that aligns with their long-term strategy, and Microsoft Intune (and the family of services and products that bear its name) may be the ideal solution for their organization.

As we have seen, Intune is proposed as a solid alternative to traditional MDM and offers, in addition to the native advantages of the cloud, also an impressive variety of advanced management functions for every type of device and operating system, a fluid integration with the rest of the Microsoft environments and the guarantee of always being up to date with the latest innovations and discoveries in the management of mobile devices and applications.

All of this in one convenient package.

FAQ on Microsoft MDM

What is Microsoft MDM?

MDM, acronym for Mobile Device Management, is a set of Microsoft technologies that allows companies to manage, protect and remotely access data contained on corporate or personal mobile devices. This management is based on security policies that define what a device can or cannot do when accessing corporate resources such as portals, apps or sensitive documents.

What's the difference between MDM and Microsoft Intune?

Microsoft Intune is the cloud service through which Microsoft implements MDM and MAM management. In the past, there was a service called Microsoft 365 MDM, which was very basic and now deprecated. Today, Intune represents the complete and advanced evolution of this ecosystem, and is the reference name for mobile device management within Microsoft solutions.

What devices can I manage with Microsoft Intune?

With Intune it is possible to manage devices that use the main operating systems on the market. The goal is to offer multiplatform management to meet the variety of needs of modern companies, which adopt hybrid and flexible technological environments.

What can an IT administrator do with MDM?

An IT administrator can define secure access rules to corporate data, restrict connection to public networks, delete data from lost or no longer authorized devices, publish and update business apps through the portal, protect sensitive information, configure VPNs and security profiles, and monitor device compliance with company policies.

Can I use MDM on employees' personal devices?

Yes, Microsoft fully supports the Bring Your Own Device (BYOD) model, where employees can use their devices to work. Intune allows you to apply protection rules only to business data, keeping personal data separate from professional data, thanks to the integration with Azure Active Directory.

What's the difference between MDM and MAM?

MDM manages the entire device, including settings, configurations, and the ability to perform actions such as remote deletion. MAM, on the other hand, focuses exclusively on business applications installed on a device and allows you to manage data within those apps without controlling the entire device. MAM is particularly suitable in contexts where the company does not own the device but wants to protect its assets.

Is Microsoft Intune included in Microsoft 365 plans?

Yes, Microsoft Intune is included in several Microsoft 365 plans and can also be purchased as a standalone service. The plans vary according to the features offered and include basic options, add-ons such as Intune Piano 2, or the complete suite called Microsoft Intune Suite, which integrates advanced functionality for endpoint management, remote assistance and privilege control.

What happened to Microsoft Endpoint Manager?

Microsoft Endpoint Manager was the platform that integrated Intune and Configuration Manager to provide unified endpoint management. As of October 2022, Microsoft has reorganized the nomenclature and today refers to Intune as the official name for cloud management and to Configuration Manager for on-premises management. The Endpoint Manager name is no longer used.

Can the company access personal data on managed devices?

No, even if a device is registered via MDM, personal data remains private. The IT administrator can only manage business data and apps, without the ability to view messages, photos, or private content. In addition, Intune supports selective deletion, which allows you to remove only business data, leaving personal data intact.

Is Intune right for businesses with business and personal devices?

Yes, it is one of the most flexible solutions precisely because it allows you to manage business devices with full MDM and personal devices through MAM policies. This allows it to adapt to the different needs of modern organizations, while maintaining high levels of security and respect for privacy.