What is Microsoft’s Intune – and how well does the UEM tool really work?

Microsoft's unified endpoint management offering, Intune, has the potential to reduce time and effort managing desktop and mobile work environments. But it's not without its own set of problems, according to users.

mdm UEM

As businesses look for ways to give employees flexible work environments, whether on desktops or mobile devices, in the office or out in the field, IT shops have had to scramble to consolidate the management of hardware platforms using a single console.

With that IT goal in mind, Microsoft in 2011 launched its Intune cloud service to address the emerging enterprise mobility management (EMM) needs of the workplace.

Intune is designed to give IT admins an easy way to manage a variety of devices – whether corporate or personal – in a way that protects corporate data while still allowing employees to get their jobs done. It combines mobile device management (MDM) capabiltiies with mobile application management (MAM) features and puts them all in a single console. Though obviously tied to Windows 10 and other Microsoft products, it is designed to manage hardware running other operating systems.

Intune's arrival seven years ago came as companies were being forced to manage a sudden onslaught of devices accessing corporate data and networks – fallout from the bring-your-own-device (BYOD) trend that took off after the release of Apple's iPhone in 2007.

"Even if the workers are not mobile all the time, the way we do business today requires a different approach, and that's where Intune comes in," said Maura Hameroff, Microsoft's director of security product marketing. "We started with a cloud solution...to enable employees to have access to everything they need on the device they need."

As a subscription service, Intune charges companies on a per user/per month basis. It can be purchased as a stand-alone product for $6 per seat or for $8.74 per seat as part of Microsoft's Enterprise Mobility Suite, which includes the Azure Active Directory, Azure Rights Management Services, and Advanced Threat Analytics.

How UEM (and Intune) fits into the EMM market

Driven by corporate BYOD programs, hardware management is shifting away from a Windows-dominant world to one that is increasingly diverse and includes iOS, Android and Apple devices. Gartner predicts that 80% of worker tasks will take place on a mobile device by 2020, increasing the momentum behind unified endpoint management (UEM), which allows all user-facing devices to be managed from a single console.

By 2022, Gartner said, 30% of company-owned Windows 10 PCs will be managed using EMM software or UEM tools. That should help companies boost operational efficiency. The difficult part for many will be choosing whether to use something like Intune, or cobble together a management ecosystm built on software from a number of third-party vendors.

To be successful, any comprehensive UEM product, according to Gartner, will need to integrate with client management tools and meet the following objectives:
■ Provide a single console to configure, manage and monitor traditional mobile devices, PCs and device management of IoT assets.
■ Unify the application of data protection, device configuration and usage policies.
■ Provide a single view of multidevice users for better end-user support and to gather  detailed workplace analytics.
■ Act as a coordination point to orchestrate the activities of related endpoint technologies such as identity services and security infrastructure.

uem gartner graphic Gartner

The big difference between MDM and UEM: The latter envisions managing desktop hardware as easily as mobile devices.

The majority of vendors whose software allows UEM come from the MDM and EMM market, and many have been adding Windows management capabilities over the past couple of years, according to Chris Silva, vice president of Gartner’s Mobile, Endpoint and Wearables Computing team.

[ Related: What is EMM? Enterprise Mobility Management explained ]

"Many have recently expanded to support ChromeOS and macOS platforms as well, placing them in a position to take on management of multiple types of traditional endpoints alongside the mobile endpoints they manage," Silva said via email. "The slate of traditional client management tools vendors, or CMTs, have been slower to build out extensions to their traditional PC management tools to handle mobile devices and modern OSes, (like Chrome, which require an MDM-like approach to manage). So, in short, the field looks very similar to past analyses of the MDM/EMM space."

In addition to Microsoft, other vendors offering UEM solutions include Blackberry, IBM, MobileIron and VMware.

In particular, VMware's AirWatch has been a standout in the capabilties it offers, particularly enabling enterprises to "bridge" the gap between traditional client management software, such as System Center Configuration Manager (SCCM) or LANDESK, and modern UEM tools, said Bryan Taylor, research director on Gartner’s Mobile, Endpoint and Wearables Computing team.

"Intune and AirWatch both have a larger set of features and functionality geared toward helping you through the transition to modern management," Taylor said.

The migration of traditional PC management to EMM/UEM tools is a "key strategic imperative" for companies, but the timeline for deployment depends largely on how quickly companies want to move in that direction – and how much money they're willing to invest, according to Gartner.

The research firm recommends that "Type A" organizations – those most aggressive in adopting new technology (about 10% of all enterprises) – should already be making the shift to UEM as of this year. These organizations believe technology is a strategic differentiator.

"Type C" organizations, or the least likely to quickly embrace new technology (about 20% of enterprises), should consider UEM by 2022.

The bulk of enterprises ("Type B" or 70% of organizations) fall somewhere in the middle. They currently use a mix of technology approaches and only a small number are actively moving into UEM this year; the majority continue to maintain separate PC management tools and processes, Gartner said.

"Over the next year, we'll start to see more testing of this. But for most organizations we're not going to see earnest efforts to start moving significant portions of their Windows and Mac to a modern management paradigm [UEM] for another two to three years," Taylor said.

Gartner UEM strategies Gartner

Intune is widely available, rarely used

More than 50% of large enterprises already have UEM tools, mostly through comprehensive licensing agreements, but only about 5% actually use those tools today.

"Most organizations are just trying to get their heads around what it means to start down this journey," Taylor said. "They’re planning and strategizing and experimenting."

Intune's adoption rate, however, has been going "gangbusters," he said, mostly because it comes with Microsoft's Enterprise Agreement (EA) – the company's volume licensing package for organizations with 500 or more users. Intune is bundled with Azure Active Directory (AD) in EA.

"You need Azure Active Directory to make just about any of their latest generation products work," Taylor said. "So, it's not an if but a when for most organizations."

Adoption is also being driven by the overwhelming popularity of Microsoft's subscription-based software suite, Office 365, which also requires Azure AD to work.

Intune benefits because Microsoft requires it to set data protection policies for Office 365 mobile apps, in particular the famillar ‘save as’ command for any documents. Neither iOS nor Android OS knows what to do with the "save as" command in Microsoft Office.

Not surprisingly, Intune has evolved quickly over the past year as Microsoft has moved to address many of its shortcomings; the Microsoft team seems to have gotten "religion" around the speed of mobile and has begun keeping up with the advances of other leader UEM vendors such as AirWatch and MobileIron, Taylor said.

"I've never seen a product team at Microsoft move so quickly," he said.

UEM Gartner magic quadrant Gartner

Gartner's magic quadrant for UEM vendors as of June, 2018.

What Intune can do

Through Intune's console, IT administrators can execute a UEM strategy where end users can be onboarded through any hardware platform, and rules can be applied governing which applications and what data they can access. UEM uses MDM APIs on mobile platforms to enable identity management, wireless LAND management, operational analytics and asset managment. In theory, at least, UEM enables IT to remotely provision, control and secure everything from smart phones to tablets, laptops, desktops and now, Internet of Things (IoT) devices from a single management console.

Some UEM products also allow mobile application management (MAM), letting IT admins control access to specific business apps – and the content associated with them – without controlling the entire physical device.

Many of the basic application and system provisioning functions required for business laptops and PCs running Windows 10 can now be done through that OS's EMM control consoles, which are enabled by Microsoft's Intune protocol. That means organizations with more recent Windows PC deployments can use consolidated management tools and unified policy and configuration platforms via UEM.

For example, Intune's integration with Microsoft's Azure AD and Azure Information Protection enables admins to classify (and optionally protect) documents and emails by applying access rules and conditions. And Intune's integration with Azure Data Protection lets admins include watermarks on any images taken with a mobile device, whether company-issued or used via a BYOD corporate policy.

intune enrollment ui for android devices Microsoft

Intune's enrollment screen

To make device management easier – especially for Windows-based shops – Microsoft last year added native EMM functionality to Windows 10 and Windows 10 Mobile OS via Intune. That's in addition to Windows 10 Mobile OS, which has a built-in device management client to deploy, configure, maintain and support smartphones.

In all editions of Windows 10, including those for desktop, mobile and Internet of Things (IoT) hardware, the client provides a single interface through which Intune can manage any Windows 10 device.

Intune enables conditional access, including denial of access to devices not managed by it or compliant with corporate IT policies; management of Office 365 and office mobile apps; and management of PCs running Windows Vista or more recent Windows releases.

An open API also allows third-party software providers, such as SAP, to wrap their application access controls into Intune's UI.

"We also use AppConfig that works for any would-be Android containers, so we can port the OS functionality for any application that needs to be protected through Intune," said Microsoft's Hameroff. "Because of the deep integration management we have with applications, we're also protecting the data within an application. So, for example, you can enforce things like copy-and-paste block. Our SDKs also have that capability, so any application you wrap it with can have copy-and-paste block."

Many of the basic application and system provisioning functions required for business laptops and PCs running Windows 10 can also be performed through EMM control consoles. Intune works with agent-based SCCM to support more advanced PC and server management capabilities.

(The Intune primary subscription includes usage rights to SCCM, which allows organizations to manage PCs and mobile devices through the same management console - another benefit of a UEM strategy.)

azure information protection ui Microsoft

Microsoft Azure's document protection user interface.

Merck & Co. eyes Intune as its UEM answer

Carolyn Jandoli, senior director for client engineering & collaboration for New Jersey-based Merck & Co., is responsible for Microsoft deployments at the global biopharmaceutical company. Currently, her IT team is deploying Windows 10 across the company; it plans to complete the upgrade from Windows 7 by Nov. 30. Once that's done, Phase 2 of a platform upgrade will include possibly purchasing an Intune license to integrate both with the OS and their existing SCCM management console.

Merck monitors some 110,000 Windows endpoint devices worldwide and has already migrated to Office 365.

"It's just simplification where I can implement more automation. That's really what's key," Jandoli said, describing the company's thinking about Intune.

Merck currently users MobileIron's MDM platform for mobile authorization and security, but that license is up for renewal.

intune mobile sign in screen Microsoft

Intune's mobile sign in screen

The company's mobile environment consists of a combination of company-issued devices and BYOD policies to govern worker-owned smartphones, 85% of which are Apple iOS devices and the rest Android. Jandoli's team hopes to enable a simpler user experience for employees by offering a variety of user-friendly tools through which they can work.

"Because of the integration it has with SCCM, as well as with some of the hooks it has into Windows 10, we feel that image and vision we have for Windows 10 will be better suited by also utilizing the Intune product," Jandoli said. "Our hope is it does provide the same unified approach [for] our Macintosh environment, server environment, as well as our mobile environment."

1 2 Page 1
Page 1 of 2
Download: EMM vendor comparison chart 2019
Shop Tech Products at Amazon