Remote work and BYOD (bring your own device) are becoming more common and popular among businesses and employees. However, they also pose significant challenges for IT admins who need to ensure that the devices are compliant, secure, and up to date. How can IT admins manage and protect devices remotely without compromising user productivity and privacy?
One solution is to use Microsoft Intune, a cloud-based service that allows IT admins to control and manage devices across platforms, such as Windows, iOS, Android, and macOS. Intune enables IT admins to:
- Enrol devices and assign them to users and groups.
- Configure device settings and policies according to the organization’s requirements.
- Deploy and update applications and software on devices.
- Monitor and report on device status and compliance.
- Remotely wipe or lock devices in case of loss, theft, or breach
In this blog post, we will show you how to optimize Intune for remote work and BYOD scenarios and share some best practices and tips to make the most of this service.
How to enrol devices in Intune
The first step to use Intune is to enrol devices in the service. This allows IT admins to manage and secure the devices from the cloud. There are different ways to enrol devices in Intune, depending on the device type, ownership, and enrolment method. Here are some of the common scenarios and how to enrol them:
- Windows 10 devices: IT admins can use Windows Autopilot, a feature that automates the enrolment and configuration of new or reset devices. Windows Autopilot requires a device to be registered in the Intune portal or by the device vendor. Once registered, the device will automatically enrol in Intune when the user signs in with their Azure Active Directory (AAD) account. Alternatively, IT admins can also enrol Windows 10 devices manually by using the Company Portal app or the Settings app.
- iOS and iPad devices: IT admins can use Apple Business Manager (ABM) or Apple School Manager (ASM), which are web-based portals that allow IT admins to enrol and manage Apple devices. ABM and ASM require a device to be registered in the portal or by the device vendor. Once registered, the device will automatically enrol in Intune when the user activates the device. Alternatively, IT admins can also enrol iOS and iPad devices manually by using the Company Portal app or the Apple Configurator app.
- Android devices: IT admins can use Android Enterprise, a framework that allows IT admins to enrol and manage Android devices. Android Enterprise requires a device to support the Android Enterprise feature set and to be registered in the Intune portal. Once registered, the device will automatically enrol in Intune when the user signs in with their Google account. Alternatively, IT admins can also enrol Android devices manually by using the Company Portal app or the Intune app.
- macOS devices: IT admins can use Apple Business Manager (ABM) or Apple School Manager (ASM), which are web-based portals that allow IT admins to enrol and manage Apple devices. ABM and ASM require a device to be registered in the portal or by the device vendor. Once registered, the device will automatically enrol in Intune when the user signs in with their AAD account. Alternatively, IT admins can also enrol macOS devices manually by using the Company Portal app or the Intune Enrolment app.
For more information on how to enrol devices in Intune, please refer to this documentation: Device enrollment guide for Microsoft Intune | Microsoft Learnt
How to configure device settings and policies in Intune
The second step to use Intune is to configure device settings and policies in the service. This allows IT admins to customize and enforce the device behaviour and security according to the organization’s needs. There are different types of device settings and policies in Intune, such as:
- Device configuration profiles: These are collections of settings that can be applied to devices to configure features, such as Wi-Fi, VPN, email, browser, firewall, encryption, and more. Device configuration profiles can be assigned to devices, users, or groups, and can be targeted to specific platforms, such as Windows, iOS, Android, or macOS.
- Device compliance policies: These are rules that define the minimum requirements for devices to be considered compliant, such as password, encryption, operating system version, antivirus status, and more. Device compliance policies can be assigned to devices, users, or groups, and can be targeted to specific platforms, such as Windows, iOS, Android, or macOS. Devices that do not meet the compliance criteria can be blocked from accessing corporate resources or remediated automatically.
- App protection policies: These are policies that protect the data within the apps that are used on devices, such as Microsoft 365 apps, Outlook, Teams, OneDrive, and more. App protection policies can be applied to devices that are enrolled or not enrolled in Intune, and can be targeted to specific platforms, such as iOS or Android. App protection policies can control features, such as data encryption, copy and paste, save as, app access, and more.
- App configuration policies: These are policies that configure the settings within the apps that are used on devices, such as Microsoft 365 apps, Outlook, Teams, OneDrive, and more. App configuration policies can be applied to devices that are enrolled or not enrolled in Intune, and can be targeted to specific platforms, such as iOS or Android. App configuration policies can customize features, such as app language, app theme, app mode, and more.
For more information on how to configure device settings and policies in Intune, please refer to this documentation: Create an email device profile for iOS/iPadOS devices | Microsoft Learn
How to deploy and update applications and software in Intune
The third step to use Intune is to deploy and update applications and software on devices. This allows IT admins to provide and maintain the apps and software that users need to work effectively and securely. There are different types of applications and software that can be deployed and updated in Intune, such as:
- Microsoft 365 apps: These are the productivity apps that are part of the Microsoft 365 suite, such as Word, Excel, PowerPoint, Outlook, Teams, OneDrive, and more. Microsoft 365 apps can be deployed and updated on Windows 10 devices that are enrolled in Intune and can be configured with app protection and configuration policies.
- Line-of-business (LOB) apps: These are the custom or in-house apps that are developed by the organization or a third-party vendor, such as CRM, ERP, HR, and more. LOB apps can be deployed and updated on devices that are enrolled in Intune and can be configured with app protection and configuration policies. LOB apps can be packaged in different formats, such as MSI, EXE, APPX, APK, IPA, and more.
- Microsoft Store for Business apps: These are the apps that are available in the Microsoft Store for Business, which is a web-based portal that allows IT admins to find, acquire, manage, and distribute apps to devices. Microsoft Store for Business apps can be deployed and updated on Windows 10 devices that are enrolled in Intune and can be configured with app protection and configuration policies.
- Managed Google Play apps: These are the apps that are available in the Managed Google Play, which is a version of the Google Play Store that allows IT admins to approve, manage, and distribute apps to devices. Managed Google Play apps can be deployed and updated on Android devices that are enrolled in Intune and can be configured with app protection and configuration policies.
- Web apps: These are the apps that are accessed through a web browser, such as SharePoint, Salesforce, Gmail, and more. Web apps can be deployed and updated on devices that are enrolled or not enrolled in Intune and can be configured with app protection and configuration policies. Web apps can be added as shortcuts or bookmarks on the device’s home screen or browser.
For more information on how to deploy and update applications and software in Intune, please refer to this documentation: Assign apps to groups in Microsoft Intune | Microsoft Learn
How to monitor and report on device status and compliance in Intune
The fourth step to use Intune is to monitor and report on device status and compliance in the service. This allows IT admins to track and troubleshoot the devices that are enrolled and managed by Intune, and to ensure that they are compliant, secure, and up to date. There are different tools and features that can be used to monitor and report on device status and compliance in Intune, such as:
- Intune dashboard: This is the main page that shows the overview and summary of the devices, users, apps, and policies in Intune. The Intune dashboard can be accessed from the Microsoft Endpoint Manager admin Center, which is the web-based portal that allows IT admins to manage and secure devices and apps across platforms. The Intune dashboard can show metrics, such as device enrolment, device compliance, device configuration, app deployment, app protection, and more.
- Intune reports: These are the detailed and granular reports that show the data and insights of the devices, users, apps, and policies in Intune. The Intune reports can be accessed from the Microsoft Endpoint Manager admin Center, and can be filtered, sorted, exported, and scheduled. The Intune reports can show information, such as device inventory, device health, device activity, device location, device alerts, app inventory, app usage, app status, app errors, and more.
- Intune logs: These are the raw and unprocessed logs that show the events and actions of the devices, users, apps, and policies in Intune. The Intune logs can be accessed from the Microsoft Endpoint Manager admin Center, and can be searched, analysed, and correlated. The Intune logs can show details, such as device enrolment, device sync, device policy, device command, app install, app update, app uninstall, app launch, and more.
- Intune troubleshooting: This is the feature that allows IT admins to diagnose and resolve the issues and problems that affect the devices, users, apps, and policies in Intune. The Intune troubleshooting can be accessed from the Microsoft Endpoint Manager admin Center, and can be performed on individual or multiple devices, users, apps, or policies. The Intune troubleshooting can show the device status, device errors, device history, device actions, user status, user errors, user history, user actions, app status, app errors, app history, app actions, policy status, policy errors, policy history, and policy actions.
For more information on how to monitor and report on device status and compliance in Intune, please refer to this documentation: Monitor app information and assignments – Microsoft Intune | Microsoft Learn
How to remotely wipe or lock devices in Intune
The fifth and final step to use Intune is to remotely wipe or lock devices in the service. This allows IT admins to protect the data and prevent unauthorized access on the devices that are lost, stolen, or compromised. There are different options and scenarios to remotely wipe or lock devices in Intune, such as:
- Full wipe: This is the option that erases all the data and settings on the device and restores it to the factory default state. Full wipe can be performed on devices that are enrolled in Intune, and can be targeted to specific platforms, such as Windows, iOS, Android, or macOS. Full wipe can be initiated by IT admins from the Microsoft Endpoint Manager admin Center, or by users from the Company Portal app or web portal.
- Selective wipe: This is the option that erases only the corporate data and settings on the device and leaves the personal data and settings intact. Selective wipe can be performed on devices that are enrolled or not enrolled in Intune, and can be targeted to specific platforms, such as iOS or Android. Selective wipe can be initiated by IT admins from the Microsoft Endpoint Manager admin Center, or by users from the Company Portal app or web portal.
- Retire: This is the option that unenrolls the device from Intune and removes the device management and security policies. Retire can be performed on devices that are enrolled in Intune, and can be targeted to specific platforms, such as Windows, iOS, Android, or macOS. Retire can be initiated by IT admins from the Microsoft Endpoint Manager admin Center, or by users from the Company Portal app or web portal.
- Lock: This is the option that locks the device and requires the user to enter their password or PIN to unlock it. Lock can be performed on devices that are enrolled in Intune, and can be targeted to specific platforms, such as Windows, iOS, Android, or macOS. Lock can be initiated by IT admins from the Microsoft Endpoint Manager admin Center, or by users from the Company Portal app or web portal.
- Reset password: This is the option that resets the password or PIN on the device and requires the user to create a new one. Reset password can be performed on devices that are enrolled in Intune, and can be targeted to specific platforms, such as Windows, iOS, Android, or macOS. Reset password can be initiated by IT admins from the Microsoft Endpoint Manager admin Center, or by users from the Company Portal app or web portal.
For more information on how to remotely wipe or lock devices in Intune, please refer to this documentation: Retire or wipe devices using Microsoft Intune | Microsoft Learn
We hope that this blog post has helped you understand how to optimize Intune for remote work and BYOD scenarios, and how to use the service to manage and secure devices from anywhere.