What is Microsoft’s Intune – and how well does the UEM tool really work?

As businesses look for ways to give employees flexible work environments, whether on desktops or mobile devices, in the office or out in the field, IT shops have had to scramble to consolidate the management of hardware platforms using a single console.

With that IT goal in mind, Microsoft in 2011 launched its Intune cloud service to address the emerging enterprise mobility management (EMM) needs of the workplace.

Intune is designed to give IT admins an easy way to manage a variety of devices – whether corporate or personal – in a way that protects corporate data while still allowing employees to get their jobs done. It combines mobile device management (MDM) capabiltiies with mobile application management (MAM) features and puts them all in a single console. Though obviously tied to Windows 10 and other Microsoft products, it is designed to manage hardware running other operating systems.

Intune's arrival seven years ago came as companies were being forced to manage a sudden onslaught of devices accessing corporate data and networks – fallout from the bring-your-own-device (BYOD) trend that took off after the release of Apple's iPhone in 2007.

"Even if the workers are not mobile all the time, the way we do business today requires a different approach, and that's where Intune comes in," said Maura Hameroff, Microsoft's director of security product marketing. "We started with a cloud solution...to enable employees to have access to everything they need on the device they need."

As a subscription service, Intune charges companies on a per user/per month basis. It can be purchased as a stand-alone product for $6 per seat or for $8.74 per seat as part of Microsoft's Enterprise Mobility Suite, which includes the Azure Active Directory, Azure Rights Management Services, and Advanced Threat Analytics.

How UEM (and Intune) fits into the EMM market

Driven by corporate BYOD programs, hardware management is shifting away from a Windows-dominant world to one that is increasingly diverse and includes iOS, Android and Apple devices. Gartner predicts that 80% of worker tasks will take place on a mobile device by 2020, increasing the momentum behind unified endpoint management (UEM), which allows all user-facing devices to be managed from a single console.

By 2022, Gartner said, 30% of company-owned Windows 10 PCs will be managed using EMM software or UEM tools. That should help companies boost operational efficiency. The difficult part for many will be choosing whether to use something like Intune, or cobble together a management ecosystm built on software from a number of third-party vendors.

To be successful, any comprehensive UEM product, according to Gartner, will need to integrate with client management tools and meet the following objectives:
■ Provide a single console to configure, manage and monitor traditional mobile devices, PCs and device management of IoT assets.
■ Unify the application of data protection, device configuration and usage policies.
■ Provide a single view of multidevice users for better end-user support and to gather  detailed workplace analytics.
■ Act as a coordination point to orchestrate the activities of related endpoint technologies such as identity services and security infrastructure.

Gartner

The big difference between MDM and UEM: The latter envisions managing desktop hardware as easily as mobile devices.

The majority of vendors whose software allows UEM come from the MDM and EMM market, and many have been adding Windows management capabilities over the past couple of years, according to Chris Silva, vice president of Gartner’s Mobile, Endpoint and Wearables Computing team.

[ Related: What is EMM? Enterprise Mobility Management explained ]

"Many have recently expanded to support ChromeOS and macOS platforms as well, placing them in a position to take on management of multiple types of traditional endpoints alongside the mobile endpoints they manage," Silva said via email. "The slate of traditional client management tools vendors, or CMTs, have been slower to build out extensions to their traditional PC management tools to handle mobile devices and modern OSes, (like Chrome, which require an MDM-like approach to manage). So, in short, the field looks very similar to past analyses of the MDM/EMM space."

In addition to Microsoft, other vendors offering UEM solutions include Blackberry, IBM, MobileIron and VMware.

In particular, VMware's AirWatch has been a standout in the capabilties it offers, particularly enabling enterprises to "bridge" the gap between traditional client management software, such as System Center Configuration Manager (SCCM) or LANDESK, and modern UEM tools, said Bryan Taylor, research director on Gartner’s Mobile, Endpoint and Wearables Computing team.

"Intune and AirWatch both have a larger set of features and functionality geared toward helping you through the transition to modern management," Taylor said.

The migration of traditional PC management to EMM/UEM tools is a "key strategic imperative" for companies, but the timeline for deployment depends largely on how quickly companies want to move in that direction – and how much money they're willing to invest, according to Gartner.

The research firm recommends that "Type A" organizations – those most aggressive in adopting new technology (about 10% of all enterprises) – should already be making the shift to UEM as of this year. These organizations believe technology is a strategic differentiator.

"Type C" organizations, or the least likely to quickly embrace new technology (about 20% of enterprises), should consider UEM by 2022.

The bulk of enterprises ("Type B" or 70% of organizations) fall somewhere in the middle. They currently use a mix of technology approaches and only a small number are actively moving into UEM this year; the majority continue to maintain separate PC management tools and processes, Gartner said.

"Over the next year, we'll start to see more testing of this. But for most organizations we're not going to see earnest efforts to start moving significant portions of their Windows and Mac to a modern management paradigm [UEM] for another two to three years," Taylor said.

Gartner

Intune is widely available, rarely used

More than 50% of large enterprises already have UEM tools, mostly through comprehensive licensing agreements, but only about 5% actually use those tools today.

"Most organizations are just trying to get their heads around what it means to start down this journey," Taylor said. "They’re planning and strategizing and experimenting."

Intune's adoption rate, however, has been going "gangbusters," he said, mostly because it comes with Microsoft's Enterprise Agreement (EA) – the company's volume licensing package for organizations with 500 or more users. Intune is bundled with Azure Active Directory (AD) in EA.

"You need Azure Active Directory to make just about any of their latest generation products work," Taylor said. "So, it's not an if but a when for most organizations."

Adoption is also being driven by the overwhelming popularity of Microsoft's subscription-based software suite, Office 365, which also requires Azure AD to work.

Intune benefits because Microsoft requires it to set data protection policies for Office 365 mobile apps, in particular the famillar ‘save as’ command for any documents. Neither iOS nor Android OS knows what to do with the "save as" command in Microsoft Office.

Not surprisingly, Intune has evolved quickly over the past year as Microsoft has moved to address many of its shortcomings; the Microsoft team seems to have gotten "religion" around the speed of mobile and has begun keeping up with the advances of other leader UEM vendors such as AirWatch and MobileIron, Taylor said.

"I've never seen a product team at Microsoft move so quickly," he said.

Gartner

What Intune can do

Through Intune's console, IT administrators can execute a UEM strategy where end users can be onboarded through any hardware platform, and rules can be applied governing which applications and what data they can access. UEM uses MDM APIs on mobile platforms to enable identity management, wireless LAND management, operational analytics and asset managment. In theory, at least, UEM enables IT to remotely provision, control and secure everything from smart phones to tablets, laptops, desktops and now, Internet of Things (IoT) devices from a single management console.

Some UEM products also allow mobile application management (MAM), letting IT admins control access to specific business apps – and the content associated with them – without controlling the entire physical device.

Many of the basic application and system provisioning functions required for business laptops and PCs running Windows 10 can now be done through that OS's EMM control consoles, which are enabled by Microsoft's Intune protocol. That means organizations with more recent Windows PC deployments can use consolidated management tools and unified policy and configuration platforms via UEM.

For example, Intune's integration with Microsoft's Azure AD and Azure Information Protection enables admins to classify (and optionally protect) documents and emails by applying access rules and conditions. And Intune's integration with Azure Data Protection lets admins include watermarks on any images taken with a mobile device, whether company-issued or used via a BYOD corporate policy.

Microsoft

To make device management easier – especially for Windows-based shops – Microsoft last year added native EMM functionality to Windows 10 and Windows 10 Mobile OS via Intune. That's in addition to Windows 10 Mobile OS, which has a built-in device management client to deploy, configure, maintain and support smartphones.

In all editions of Windows 10, including those for desktop, mobile and Internet of Things (IoT) hardware, the client provides a single interface through which Intune can manage any Windows 10 device.

Intune enables conditional access, including denial of access to devices not managed by it or compliant with corporate IT policies; management of Office 365 and office mobile apps; and management of PCs running Windows Vista or more recent Windows releases.

An open API also allows third-party software providers, such as SAP, to wrap their application access controls into Intune's UI.

"We also use AppConfig that works for any would-be Android containers, so we can port the OS functionality for any application that needs to be protected through Intune," said Microsoft's Hameroff. "Because of the deep integration management we have with applications, we're also protecting the data within an application. So, for example, you can enforce things like copy-and-paste block. Our SDKs also have that capability, so any application you wrap it with can have copy-and-paste block."

Many of the basic application and system provisioning functions required for business laptops and PCs running Windows 10 can also be performed through EMM control consoles. Intune works with agent-based SCCM to support more advanced PC and server management capabilities.

(The Intune primary subscription includes usage rights to SCCM, which allows organizations to manage PCs and mobile devices through the same management console - another benefit of a UEM strategy.)

Microsoft

Merck & Co. eyes Intune as its UEM answer

Carolyn Jandoli, senior director for client engineering & collaboration for New Jersey-based Merck & Co., is responsible for Microsoft deployments at the global biopharmaceutical company. Currently, her IT team is deploying Windows 10 across the company; it plans to complete the upgrade from Windows 7 by Nov. 30. Once that's done, Phase 2 of a platform upgrade will include possibly purchasing an Intune license to integrate both with the OS and their existing SCCM management console.

Merck monitors some 110,000 Windows endpoint devices worldwide and has already migrated to Office 365.

"It's just simplification where I can implement more automation. That's really what's key," Jandoli said, describing the company's thinking about Intune.

Merck currently users MobileIron's MDM platform for mobile authorization and security, but that license is up for renewal.

Microsoft

The company's mobile environment consists of a combination of company-issued devices and BYOD policies to govern worker-owned smartphones, 85% of which are Apple iOS devices and the rest Android. Jandoli's team hopes to enable a simpler user experience for employees by offering a variety of user-friendly tools through which they can work.

"Because of the integration it has with SCCM, as well as with some of the hooks it has into Windows 10, we feel that image and vision we have for Windows 10 will be better suited by also utilizing the Intune product," Jandoli said. "Our hope is it does provide the same unified approach [for] our Macintosh environment, server environment, as well as our mobile environment."

As a pharmaceutical company governed by strict regulations, Merck has to be keenly  focused on data security and believes it can take advantage of the automated processes built into Intune, such as automated document quarantining, to keep data safe.

"We've set up list of standards and requirements that every mobile device must achieve before they can gain access to any corporate data or applications. So, we also feel it would be a nice add-on to our focus on user validation and security," Jandoli said. "There's a lot of capabilities already inherent in the product itself that could provide some of these capabilities without building customized scripts."

Many organizations have created complex layers of scripting and policies to automate the configuration and deployment of PCs, most notably for Windows devices, according to Gartner. Those scripts and policies often don't translate well in a UEM environment, meaning new processes and tools have to be found, tested and implemented before they can move ahead.

Carhartt tries Intune, runs into problems

John Hill, CIO for work clothes manufacturer Carhartt, used Intune to manage its mobile phone environment as part of an Office 365 rollout. But after running into several issues, his team abandoned it for a more comprehensive platform.

(Carhartt has 1,850 Windows PC clients, 300 corporate-issued smartphones and 200 phones under a BYOD policy; 95% of the smartphones run iOS.)

As part of a 2016 upgrade to its internal security program, Carhartt rolled out Intune through its Microsoft enterprise agreement. Hill admits he hadn't done a lot of research and assumed Intune would be easy to plug into his existing Microsoft environment.

Microsoft

Chris Walker, Carhartt's director of infrastructure, said the company leans more toward a BYOD policy, so a MAM strategy was appealing since the hardware platform used by employees would be moot. Problems with Intune mounted, though, and Carhartt eventually limited its deployment to its mobile environment.

"We had so many problems with mobile that there's no way I was going to add desktop to it," Walker said.

Most of the issues involved policy control, policy deployment and overall administration, Walker explained. He would run into random end-users losing access to all corporate applications and data; the IT staff then had to uninstall and reinstall Intune on the device or move the users out of a group and back into the group to regain access.

Hill said he even reached out to two different industry partners who had existing Microsoft practices for advice and help. Neither were able to solve the issue.

Another problem Hill described as "absurd" involved using too few management tools on Intune, which resulted in all the mobile and application controls being deployed at once. Because the company has a BYOD policy, and "80% of corporate-issued devices are used for personal" communications, Hill said he didn't want to have phones wiped of all data because they were misplaced or a wrong password was entered too many times.

"We didn't want to have an effect on those other things: their contacts, their personal pictures and those things that make people cagey about having a management tool on their phone," he said. "We were apparently doing too little for device management and that was apparently partially causing our issues. You should be able to load an MDM [toolset] and literally be able to turn every policy off.

"We were just trying to streamline things. That's how InTune is built; it has a list of 100 different options and you just turn them on or off. We were unable to reduce the controls," Hill added.

About 10 months ago, Carhartt gave up on using Intune-only licensing and piloted – and later purchased – Microsoft's Enterprise Mobility Suite, which includes an Intune license while also offering MAM.

"It went really well and was easy to deploy. So, we essentially got rid of the independent Intune licenses and went all EMS, which gave us all those capabilities," Hill said. "That made life so much easier. Whatever apps you put in the container – and only those – is what is affected, without impacting the rest of the device."

One issue the company is still working out is the ability to support Windows, Apple and Chrome devices under one management console. "You really need three solutions to manage that," Walker said.

"The companies don't play well together. Maybe it's intentional," he added.

Brother International adds Intune to a cloud consolidation plan

Tony Serignese, vice president of Information Technology at Brother International Corp., said his company also rolled out Intune to manage its mobile device environment. After deploying Office 365 four years ago, he later learned one of the licensing packages included Intune.

So in 2016, the company rolled it out, along with Microsoft Azure.

It's using Intune only for basic MDM, but the company hopes to have a more comprehensive management program once Windows 10 is fully rolled out. Currently, Brother has 1,800 Windows desktop clients running a mix of Windows 7 and Windows 10 along with nearly 500 mobile users, most of whom are on iOS, with a smaller percentage on Android.

Prior to using Intune, Brother had used MobileIron's MDM platform for several years. But as the number of mobile devices used for work-related functions increased, so did the cost of licensing the software.

Cost biggest Intune driver, but support lacking

"The support we had wasn't really good, either," Serignese said.

"The support for Android at the time was not as robust compared to Intune," said Kai Fan, a network systems infrastructure administrator. "For example, we'd have to download separate apps in order for email to work on Android. And for Intune, with the Outlook app, we could configure a native email client on an Android [device]."

Cost, however, was the main driver – that, and consolidating systems on Microsoft, Serignese said.

"The good thing is it won't cost me any more money; it's part of our [Office 365] licensing agreement," Serignese said.

One of the IT team's complaints, however, involved problems generating reports.

"They need to improve their reporting," Fan said. "You know the devices that are on it, you can see all that, but to do anything with the data – that's very difficult."

For example, Fan said, just pulling up a list of all the Android apps running on devices was an arduous task in Intune. "It should be something easy to get," Fan said.

Another complaint was how much manual work the installation required to complete. It took the department two months to deploy; Brother would hold "Intune deployment parties" twice a week, pulling in end users from pre-determined departments.

Intune took about 15 minutes, per user, to set up. "The most time-consuming part was people figuring out what their Apple ID was," said Kirit Nayee, Brother's senior technical lead for Microsoft and cloud platforms.

Implementing Intune's configuration and topology, however, was pretty straight forward, as was setting its management policies, according to Fan.

Moving to cloud-based services has been an ongoing theme at Brother, which now uses external services for both its ERP and CRM environments; it's also planning a move to Amazon Web Services beginning next spring.

"I can say for the guys in my office, there are so many more exciting things to do than worry about memory in a server going bad or did the backup run last night," Serignese said.

Using a cloud-based mobile management platform like Intune has given the IT shop a greater sense of control over its mobile environment – and new security capabilities that weren't available on its previous in-house MDM platform.

"We're just now starting to look at the security aspect of Intune," Serignese said. "By moving to it, there's a lot more capability we can look at and not have to buy yet another product."