* At this time not all enrollment options or functionality are available for Intune. See 'How do I enroll devices?' below for more information.
What is Intune?
Intune is a Mobile Device Management (MDM) system that enables Administrators to configure and manage devices remotely. Intune can manage Windows and Android devices (Apple Devices management coming at a future date). Manageability of the different platforms depends on the specific OS version.
How does Intune Work?
Intune is a cloud-hosted management server. Devices are enrolled into Intune and then receive policies and other configurations as they come into scope to the devices.
After enrollment, devices check into Intune for policy changes at predetermined intervals which varies by operating system. New policies created after devices are enrolled are pushed out to devices as they become available, independent from the device’s normal check in period.
Communications between the server and the devices are encrypted and no personal information such as browsing history, file contents, or passwords are collected.
How do I enroll devices?
* At this time not all enrollment options are available for Intune. Only hybrid-join enrollment for Windows devices is available, which requires a department have devices in the managed Central Services Domain. Other options, while documented below, are not available.
There are several methods of enrolling devices, depending on the operating system (also see the Intune enrollment and capabilities section below):
Where can I find Technical Documentation, resources, training materials, etc.?
Technical Documentation and information for Intune can be found at:
Is in-person or live remote training or assistance available?
Training is available subject to scheduling and availability. It is available for initial onboarding as well as follow up and can be customized based on need. You can request training from one of VT Intune’s Service Administrators by completing the IT Service Catalog item here.
The #intune slack channel or the Intune User’s Group is also a place where questions can be asked to other VT Intune users. Service administrators are also available for assistance with any issues or questions.
How can I start using Intune?
You can get started using Intune by requesting access through the Service Catalog by clicking here. Pricing and other information is available within the catalog item.
What are the different Intune Management Capabilities for Windows 10 and Android?
Windows 10 devices can be enrolled in Intune using one of two enrollment methods: either Hybrid Azure AD Joined (organizationally-owned) or Azure AD Registered (BYOD). Android devices can be enrolled through Android Enterprise or BYOD (note Android BYOD enrollment is slowly being deprecated).
The method used to enroll the device is important because it will affect the management capabilities available. There may be requirements to use a particular enrollment.
For Windows 10, Intune offers the fullest management capabilities for Windows devices in a managed Central Services Domain (CSD) OU which are ‘hybrid joined’ to Azure AD. Windows devices not in the CSD OU will use the ‘BYOD’ enrollment method and are registered to Azure AD which has relatively fewer features. For Android devices, Intune offers the fullest management for devices enrolled through Android Enterprise.
See below for an overview of types of device joins, their requirements, and capabilities.
|
Device join types |
Comment |
||
|
Intune enrollment method |
Hybrid Joined (Windows) |
Azure AD Registered (Windows)* * this enrollment method is currently not available |
|
|
Requirements for enrollment method |
Windows devices must be in a managed OU in Central Services Domain (CSD) |
Enrolling user must be licensed |
|
|
How devices are enrolled |
In the department’s managed CSD OU, the department creates a child OU named ‘[OU]-Intune’. Windows device objects in that child OU will be synced to Azure AD. |
The Microsoft Company Portal app is downloaded, installed, and used to enroll the device. The user authenticates with their credentials. |
|
|
General capabilities (from Microsoft documentation) |
|
||
|
User gets associated with device |
✔ |
✔ |
|
|
Device can access resources protected by CA |
✔ |
✔ |
|
|
Ability to configure the device setup experience |
✘ |
✘ |
|
|
Ability to enroll devices without user interaction |
✔* |
✘ |
* user will get a 2-factor Duo prompt. |
|
Ability to run PowerShell scripts (custom scripting) |
✔ |
✔ |
|
|
Supports automatic enrollment after AD domain join |
✔ |
✘ |
|
|
Supports automatic enrollment after Hybrid Azure AD Join |
✔ |
✘ |
|
|
General capabilities (Windows and Android*) |
|
||
|
Customized reporting and device compliance reporting |
✔ |
✔ |
Compliance reporting through Intune portal; customized reporting with Power BI (external to Intune) |
|
Allow administrator to reset a device pin/passcode |
✔✘ |
✔✘ * |
|
|
Perform full wipe of device |
✔ |
✔ |
|
|
Perform selective wipe of the organization’s intellectual property |
✔ |
✔ |
|
|
Compartmentalize data |
✘ |
✘ |
|
|
User portal for OS versions supported |
✔ |
✔ |
Uses Company Portal, distributed or downloaded |
|
Prevent user unenrolling device |
✔ |
✔* |
* A profile can be used to prevent unenrolling |
|
Remove/uninstall apps remotely |
✔ |
✔ |
*for Android must be Managed Play Store Apps |
|
Application allow/block list |
✔ |
✔ |
|
|
Windows-specific capabilities |
|||
|
Manage operating system patches on devices |
✔ |
✔ |
Updates via assigning Windows update rings and schedule, not KB push / SUS management |
|
Roll back packages and updates |
✔✘ |
✔✘ |
Can roll back Feature or Quality for Update Rings |
|
Force system restore / create restore points |
✔✘ |
✔✘ |
Rebuild system only, not backup files, cannot create restore points. System restore points are an old style of backup. Intune offers wipe/restore options. |
|
Check BIOS |
✘ |
✘ |
|
|
Configure deployment/installation of native Windows files (.exe, .msi) |
✔ |
✔ |
Deploying .exe requires wrapping installer in proprietary .intune file format. |
|
Configure Bitlocker |
✔ |
✔ |
|
|
Configure Applocker |
✔ |
✔ |
|
|
Disable peer-to-peer distribution of updates |
✔ |
✔ |
|
|
Wake on LAN |
✘ |
✘ |
|
|
Bulk MDM enrollment |
✔ |
✘ |
|
|
Android-specific capabilities |
|||
|
Intune enrollment method |
Android Enterprise |
Android BYOD (can be used, but being deprecated) |
|
|
How device enrolled |
On wiped Android device, token entered or QR code scanned (depends on OS version). Then user authenticates with credentials. |
The Microsoft Company Portal app is downloaded, installed, and used to enroll the device. The user authenticates with credentials. |
|
|
Force OS Upgrade |
✘* |
✘ |
For Enterprise (Fully Managed) Update settings (Automatic, Device Default, etc) are available, but no functionality to force the device to perform update on demand. |
|
Performs check of security updates |
✘* |
✘ |
See comment for ‘Force OS Upgrade’ above. |
|
Supports zero-touch enrollment |
✔* |
✘ |
Variable capability affected by device manufacturer, Google Play integration, OS version, and more. |
|
Support devices in kiosk mode |
✔ |
✔ |
|
|
Prevent content sharing through Android Beam |
✔ |
✔* |
In Device Administrator Management (BYOD) blocking beam done by disabling NFC entirely. |
|
Supports Google Play Private Channel |
✔ |
✔ |
Only available if Google Play license agreement review completes (still underway). |