Offer Secure Flexibility Device Management With Microsoft Intune

Offer Secure Flexibility: Device Management with Microsoft Intune 

Arraya Insights | December 13, 2022

Maintaining the flexible work arrangements that employees have come to know has become necessary to both retain existing talent and broaden the search for new talent. While the added benefits of remote collaboration provide many perks for employees and their productivity, it also increases attack surface and risk.

As there are no signs of cyber threats slowing down, the growing number of endpoints that businesses rely on may pose a significant data privacy and security threat. Adding to this, many organizations have traditionally supported and implemented more bring-your-own-device conditional models, allowing employees to access company information and networks from their own laptops, cell phones, and more.  

Best practices require an endpoint management solution to protect data, apply configurations, manage access, and support users wherever they’re working.  

This is where the many benefits of mobile device management software come into play, specifically Microsoft’s Intune.  

What is Microsoft Intune?  

In a world full of endpoints, mobile device management with Intune provides businesses and enterprises with the ability to manage identities, applications, and devices. This cloud-based endpoint management solution keeps access and data protected on both organization-owned and users’ personal devices.  

Intune Integration with On-Prem 

Most modern environmental challenges can now be addressed with Intune’s improved capabilities. Previous challenges with authentication, applications, and processes have taken great strides in closing the gap with technologies such as certificate distribution, wireless connectivity, and VPN requirements. These have made the MDM experience seamless all while maintaining its core pillars of service.  

At the core of the services provided by Azure Active Directory, Intune integrates with cloud applications by making them available through Azure App Proxy, Certificate Connectors, and various third-party integrations for configuration management and immutable settings. 

Intune features the ability to manage applications and devices through three connection types:  

  • Mobile Device Management (MDM): Mobile device management is used for enterprise-owned device management in Microsoft 365, giving the IT team full control of the device. This includes the ability to manage, wipe, and locate the device, should they deem it necessary.   
  • Mobile Application Management (MAM): Mobile application management is designed to protect corporate data at the application level. This is used to install, contain, and control the application whether it’s on a user’s personal device or in a company-owned and fully managed state. MAM is commonly used in device BYOD models in which employees access company data, networks, and services from their personal devices. 

    This provides admins and IT teams with the remote capability to control company data by: 
    • Adding and assigning mobile apps to users, user groups, and devices
    • Configuring apps to start or run within specific settings
    • Updating managed apps already on the device
    • Monitoring reports to track managed app usage
    • Selectively wiping only organization data from apps without disturbing personal apps
  • Mobile Application Management – Without Enrollment (MAM-WE): MAM without enrollment provides the ability to create MAM Application configurations. These can fully manage the company data and apply security configurations to a personal device without affecting any other personal applications or data or requiring Intune Enrollment. 

    This is the more popular configuration that still provides top-notch security and control while maintaining the separation of personal content and business content on a personal device.  

Intune provides this security through app protection policies. These use Azure AD/Microsoft 365 identity protection to isolate organization data from personal data. When coupled with Microsoft Purview, these restrict certain actions, such as copy-and-paste, save, and more.  

The integration with Azure AD enables broad access controls, such as requiring mobile devices to be compliant with organization standards before accessing network resources. This includes requiring multi-factor authentication, conditional access settings for device enrollment, and allowing administrators to manage access to application features and services accessed on the devices with more stringent policy-based requirements.   

Understanding How Intune Fits into the Bigger Picture 

Intune is often underutilized, or businesses may not understand how it integrates with other tools and solutions. Here is a breakdown of what users can expect.

Virtual Desktop  

While we’ve previously focused on virtual desktop infrastructure (VDI) solutions for unmanaged BYOD devices within the remote workspace, this type of solution differs from Microsoft Intune.  

Azure Virtual Desktop is a virtual workstation fully managed by corporate which provides employees and contractors with client or web-based, remote access to their work environment from a personal device. While this configuration is a shared responsibility model within Azure, it does offer configurations based on an image that can come from the Azure catalog of images or Bring-Your-Own-Image support to maintain a uniform configuration. Additionally, Microsoft’s Intune can be integrated to deploy applications, user experience modifications, Windows Updates, and compliance restrictions to enrolled AVD workstations. 

Intune does integrate seamlessly with Cloud PC, which can be added directly in-console with the correct enterprise-licensed Cloud PC SKUs. Once the licenses are active, you’ll have the ability to create configurations and connect directly to your Azure Tenant network. This provides a similar capability to customize your images or take from a default configuration and assign a profile to your licensed users. 


Windows Autopilot is designed to allow end users to deploy, reset, and repurpose devices without the involvement of IT. This is the traditional way to add a device to your network through Azure Directory within an MDM service, such as Intune.  

This includes: 

  • Starting the configuration of your windows device from the cloud upon Out of Box Experience (OOBE) 
  • Outlining configuration processes so you can keep track of progress, monitor enrolled devices, and apply configuration and compliance policies at the time of setup 
  • Providing a simple and personalized set up process with user assignment and application pre-provisioning, which speeds up the setup for the end user 
  • Connecting devices deployed with Windows Autopilot to Azure AD and Intune 

You can create an Autopilot Enrollment Profile using Intune for Windows 10 and Windows 11. This configuration also supports shared devices setup and device level initiation, which bypasses the user ID input at startup. 

Microsoft Managed Desktop vs Intune 

Microsoft Managed Desktop is a cloud-based service that brings together Microsoft 365 (including Windows 10 Enterprise and O365 Enterprise) and adds: 

  • User device deployment 
  • IT service management and operations 
  • Security monitoring and response 

For organizations seeking to accelerate their digital transformation, Microsoft Managed Desktop is a cloud-based IT management and security monitoring service that improves user productivity and empowers IT to focus on core business goals. Microsoft Managed Desktop customers enjoy fantastic device experiences that are always up-to-date, secure, and monitored, with actionable service insights for IT and device users. 

While Managed Desktop does manage registered devices and the Microsoft software they use, it can’t provide the remote capabilities many organizations need today. Instead, Intune will give you many more options to monitor your devices, apply configurations, and have them report back at regular intervals.   

Next Steps: What is Your Mobile Device Management Strategy? 

Whether you’re looking for licensing for your small business or enterprise, mobile device management with Microsoft Intune can help you provide the flexibility your employees are looking for with the security that your organization needs.   

Depending on your subscription, you may already have access to Intune included in your existing Microsoft licensing that you’re not using. Those in education, manufacturing, and healthcare often have an extensive number of devices connecting to their network. Managing these mobile devices can be made much simpler through Intune.  

An Intune user and device subscription is available as a standalone product, or within one of the following bundled licenses:  

  • Microsoft 365 E5  
  • Microsoft 365 E3  
  • Enterprise Mobility + Security E5  
  • Enterprise Mobility + Security E3  
  • Microsoft 365 Business Premium  
  • Microsoft 365 F1  
  • Microsoft 365 F3  
  • Microsoft 365 Government G5  
  • Microsoft 365 Government G3  
  • Intune for Education  

Is Intune already a part of your licensing?  

Whether you have questions surrounding your Microsoft licensing or how to best manage your remote capabilities, contact one of our experts to start a conversation today and to learn more about mobile device management with Microsoft Intune.  

Visithttps://www.arrayasolutions.com/contact-us/ to connect with our team now.      

Comment on this and all of our posts on: LinkedIn, Twitter and Facebook.      

Follow us to stay up to date on our industry insights and unique IT learning opportunities.