Microsoft Intune is a cloud-based service which allows a workforce to be productive whilst still keeping all of your corporate data protected. It is part of the Microsoft Office 365 suite of tools, which makes it available to access through the Azure portal.

Intune allows businesses to:

  • Manage mobile and desktop devices used to access company data
  • Manage mobile apps used
  • Protect company info by controlling how it is accessed and shared
  • Ensure apps and devices comply with company security requirements

Intune integrates with Azure Active Directory (AD) for identity and access control, Azure Information Protection for data protection, and is accessed through the Azure portal.
As part of Microsoft’s Enterprise Mobility + Security (EMS), Intune is the component that handles mobile devices and apps.
Two main features are Device management and App management, where a business uses either of these depends on the problem they are trying to solve.

These are some common issues:

  • A pool of single-use devices shared by shift-workers would require strong use of device management
  • A Bring-Your-Own-Device (BYOD) deployment, where a workforce is allowed to use personal devices to access corporate data, would require use of app management and data protection
  • All of the technologies will be used in a scenario such as issuing corporate phones to information workers

Device Management

  • Organisation-owned devices can be configured with full control (settings, features, security etc.), and enrolled in Intune. Once a device has been enrolled, it will inherit any rules and settings you have configured as policies through Intune.
  • Examples include password/PIN requirements, create VPNs, set up threat protection etc.
  • Personal/BYOD users may not want admins to have full control so they can be given options for how they want to connect their devices. If they want full access to organisation resources then they can enrol their devices, or if they only want access to specific apps, then app protection policies can be put in place that require Multi-Factor Authentication in order to be able to use devices.

When devices are enrolled and managed with Intune, admins can:

  • See enrolled devices, and an inventory of devices that access organisation resources
  • Configure devices to meet security/health standards
  • Push certificates to devices so users can access a WiFi network or use a VPN to connect to a network
  • See reports on users and devices that are compliant/non-compliant
  • Remove organisation data if a device is lost, stolen, or no longer used

App Management

  • Can be used on organisation-owned devices, as well as personal devices/BYOD
  • Mobile Application Management (MAM) is designed to protect company data at the application level, including store apps and custom apps

When apps are managed in Intune, admins can:

  • Add/assign mobile apps to user groups and devices
  • Configure apps to start or run with specific settings enabled, and update existing apps on the device
  • See reports on app usage, and track usage
  • Perform a selective wipe by only removing organisation data from apps

Intune provides mobile app security, one of the ways it does this is through App Protection policies. These policies:

  • Use Azure Active Directory identity to isolate organisation data away from personal data. Any data accessed using company credentials are given additional security protection.
  • Help secure access on personal devices by restricting actions a user can take
  • Can be created and deployed on devices enrolled in Intune, another Mobile Device Management (MDM) service, or devices not enrolled in any MDM service. App protection policies can add an extra layer of protection on enrolled devices.

Common Uses for Intune

Microsoft have stated that these are the six most common scenarios where Intune is used:

Protecting on-premises email and data so mobile devices can safely access it
Intune and Microsoft EMS can provide Exchange Server with a Conditional Access solution that ensures mobile apps cannot access email unless the device they are installed on is enrolled with Intune.

Protecting your Office 365 email and data so it can be safely accessed by mobile devices
Set up solutions that ensure no users, apps, or devices can access Office 365 data unless they meet compliance requirements set by your company.

Offer a bring your own device program to all employees
Instead of enrolling a personal device that is managed by the company, Intune can use an alternative BYOD where the company only manages apps on a personal device which contain corporate data.

Issue corporate owned phones to all your employees
Companies can give employees mobiles loaded with the Intune Company Portal app, along with security policies and corporate-branded setup flows managed through Intune.

Issue limited use shared tablets to your employees
Companies can provide employees with tablets set for limited-use, so they can only access and interact with single apps or services. These devices can be bulk provisioned, secured, and centrally managed through Intune.

Enable your employees to securely access Office 365 from an unmanaged public kiosk
Using Intune and Microsoft EMS, companies can set and limit employee access to Office 365 apps and services on devices not managed by Intune, ensuring corporate data isn’t accidentally left on untrusted public devices.


If you are interested in using Microsoft Intune for your company, don’t hesitate to get in contact with us, and if you have any questions our experts can help you out.