We have to talk about IntuneAlex Fields
There was a time, not long ago, when I would have conversations with others like me, who work for other managed service providers around the US–we would all say the same thing: “We don’t want any part of Intune–we have our own RMM tools…“
Let me be clear–I still do not think that Intune (or “Device management”) is necessarily a replacement for your RMM, such as Kaseya or SolarWinds. The reason is very simple. Like all Microsoft services, Intune/Device Management is a subscription and all the data related to that subscription is locked inside a single tenant. There is to date no way for a service provider to monitor and manage across multiple customers/subscriptions. This is true of all the Microsoft Online Services.
A traditional RMM is multi-tenant so to speak–it built for service providers, and I can easily switch between customers and get reporting/dashboards that roll up device health and other important statistics across the whole base. In the case of Microsoft I have to login 200 times to monitor 200 different tenants. It just doesn’t scale.
But, that doesn’t mean it isn’t valuable, or that we shouldn’t be looking at it.
Consider replacing Group Policy sooner than later
Visualize for a moment a future without Group Policy, or indeed, without any on-premises based Active Directory at all. Or, tell you what–you don’t even have to go that far–just think about all of the short comings of AD-joined computers that we have to deal with today.
When someone is out of the office for a prolonged period of time (e.g. sales teams, semi-absent business owners, etc.), we have expiring / mismatched passwords, workstations losing trust with domain, and devices falling out of compliance with the updates and policies we are pushing/managing.
To mitigate the issues, we needed VPN or DirectAccess/Always On VPN, etc. Even so, inevitably, we would end up taking more support calls, and deliver a sub-par customer experience. Not to mention, Group Policy includes no mechanism for reporting on “compliance” with policy in real time.
Intune solves literally all of this. I think of it as Group Policy on steroids.
Cloud-native device management
The obvious benefit to having a cloud-based device management tool is that the endpoint can remain in touch with the service anywhere.* If you push a new policy you can bet that the endpoint will get it in a timely fashion. You can also report on devices that are compliant or not compliant with your policies.
Device compliance flows directly into another major security feature: Conditional access. You can withhold access to resources if a device is not compliant. This means that devices are forced to register and enroll themselves in the service, and become compliant with policy before gaining access to corporate data.
Microsoft recently announced something else that caught my attention. Security baseline policies built-in to Intune. This is a natural progression from the Security and Compliance Toolkit (SCT), which included some canned baseline GPO’s (and this is another good resource, by the way–check it out).
The baselines are something that Microsoft is promising to keep up to date with versioning, so that you can stay current with the recommended best practices and security configurations. Once you have your configuration profiles deployed, you can also see which devices match and do not match the configuration. So there is real value-add here, which we did not get with the traditional SCT kit.
In general, workers want to become less tethered and more mobile–they want the option to work remotely, etc. And it is happening whether we switch our management tools over or not. Wouldn’t you rather have a device managed than sitting out there in the ether, in its own workgroup? This is one reason I argue that corporate issued devices moving forward should be joined to Azure AD (not local AD) and managed via Intune, rather than Group Policy. Remember: Even in a hybrid environment, Azure AD joined computers can enjoy SSO to on-premises resources like file servers.
Now obviously Windows 10 has the best support and most levers available here, but Intune also supports iOS, Android and even macOS. So it can do things that a traditional Active Directory and Group Policy never could. This allows you to manage all of your devices in a similar way, with a single policy set.
Yes, I know there is some overlap in features/functionality between a traditional RMM and Intune. Both can generally be used to push updates, software packages, PowerShell scripts, etc. But I also do not see one displacing the other. Your RMM continues to provide a valuable service for your customers, at scale. Intune is, however, the next evolution of Group Policy and device management in the Microsoft cloud.
If you had to make Group Policy changes to 200 individual domains before, you still have to do the same here, and your RMM is not going anywhere because of that–it will continue to be your go-to for real time reporting and providing a high level of customer service and support to your end-users.
For hybrid AAD joined devices. Will their be policy conflicts?
It is conceivable, yes–so be mindful as you introduce new policies via the cloud. For example, if you have a GPO that enforces BitLocker or UAC, or something, and you want to replace that with a cloud equivalent policy, roll changes mindfully, unlinking policies on-prem or exempting users from those policies as the same users are rolled over to new policies in the cloud.