In my company we have purchased what is in essence a site license for EMS this gives me many new toys to play with but the one the business needs right now is Intune. As agile working becomes the norm we need to secure our devices and data internally and externally without impeding the users productivity. As a university we are also bound by certain rules regard encryption and data protection, so I need to enforce this. Intune to the rescue.
What is Intune?
Microsoft Intune is a cloud-based desktop and mobile device management tool that helps organizations provide their employees with access to corporate applications, data, and resources from the device of their choice.
Differences between hybrid and standalone
What is Intune standalone?
Intune standalone is a cloud-only MDM solution that involves no on-premises resources and is managed using a web console that can be accessed from anywhere in the world. Intune datacenters are hosted in North America, Europe, and Asia. Because Intune is a cloud service, you can deploy Intune management to your devices in a relatively short timeframe. You may also choose Intune standalone if your organization is moving to the cloud.
What is hybrid MDM with Configuration Manager?
Hybrid MDM is a solution that uses Intune as the delivery channel for policies, profiles, and applications to devices but uses Configuration Manager on-premises infrastructure to store and administer content and manage the devices. You may choose hybrid MDM if you already have a significant investment in Configuration Manager and want to extend it to manage mobile devices. A hybrid implementation gives you “single pane of glass” control, which means you can use the same on-premises infrastructure and administrative console to manage mobile devices with Intune as well as PCs and servers with the traditional Configuration Manager client.
Why I chose Hybrid Standalone Hybrid Standalone
Ok, I went back and forward on this so much, I even had to get Microsoft to set it back to standalone after it was initially set to hybrid. The main reason I set it to standalone was the new features, features appear in the standalone version earlier. I wanted to use Android for Work as one example which is in standalone but not hybrid. I really dislike the current Intune portal as it only works properly in IE and crashes a lot, but there is hope on the horizon as the Intune portal is moving to Azure.
Windows, Android or iOS
Along with creating this POC I had to test a number of phones out and see if they work for our business.
I actually like these phones and you can control every aspect with Intune but the general consensus from staff was they didn’t like the OS and almost all had Android or iOS as their personal phones and wanted a similar experience. Sorry Nokia.
Samsung Galaxy S7 (Android)
I have not used an Android phone for many years and I was very impressed by the speed, ease of use and the camera quality. As our company email is Gmail we get instant integration, encryption is enabled by default too. I was genuinely amazed at how good this phones was.
Apple iPhone (iOS)
I have had an iPhone for years and generally I like it but they are far too expensive for our business phones.
So the winner was the Samsung Galaxy S7
Setting up the Samsung Galaxy S7
Ok assuming you have Intune setup in either Standalone or hybrid lets get the phone set up and then enroll in Intune.
Connecting to WiFi is optional but with updates etc It makes sense, getting the end user to login is preferable to.
Get the end user to login to their company google account
Instant Gmail integration which is pretty handy.
Enrolling in Intune
In order for users to enrol their phone they need an EMS licence assigned to them. You can do this in the Office 365 Portal or in Azure AD. Users can enrol up to 15 devices. Once the phone is set up, its time to install the company portal and get the end user to login to it.
Login using your company details
The company portal is installed and the end user is presented with deployed applications and policies that are enforced on the phone. Ta Da
There we go, the Company Portal is installed and the device appears in Intune.
Its important to remember that this is classed as MDM, Android for Work is actually classed as BYOB
In the next post I will talk about Android for Work.