We have to talk about Intune

Back to Blog
06Feb2019

We have to talk about Intune

There was a time, not long ago, when I would have conversations with others like me, who work for other managed service providers around the US–we would all say the same thing: “We don’t want any part of Intune–we have our own RMM tools…

Let me be clear–I still do not think that Intune (or “Device management”) is necessarily a replacement for your RMM, such as Kaseya or SolarWinds. The reason is very simple. Like all Microsoft services, Intune/Device Management is a subscription and all the data related to that subscription is locked inside a single tenant. There is to date no way for a service provider to monitor and manage across multiple customers/subscriptions. This is true of all the Microsoft Online Services.

A traditional RMM is multi-tenant so to speak–it built for service providers, and I can easily switch between customers and get reporting/dashboards that roll up device health and other important statistics across the whole base. In the case of Microsoft I have to login 200 times to monitor 200 different tenants. It just doesn’t scale.

But, that doesn’t mean it isn’t valuable, or that we shouldn’t be looking at it.

Consider replacing Group Policy sooner than later

Visualize for a moment a future without Group Policy, or indeed, without any on-premises based Active Directory at all. Or, tell you what–you don’t even have to go that far–just think about all of the short comings of AD-joined computers that we have to deal with today.

When someone is out of the office for a prolonged period of time (e.g. sales teams, semi-absent business owners, etc.), we have expiring / mismatched passwords, workstations losing trust with domain, and devices falling out of compliance with the updates and policies we are pushing/managing.

To mitigate the issues, we needed VPN or DirectAccess/Always On VPN, etc. Even so, inevitably, we would end up taking more support calls, and deliver a sub-par customer experience. Not to mention, Group Policy includes no mechanism for reporting on “compliance” with policy in real time.

Intune solves literally all of this. I think of it as Group Policy on steroids.

Cloud-native device management

The obvious benefit to having a cloud-based device management tool is that the endpoint can remain in touch with the service anywhere.* If you push a new policy you can bet that the endpoint will get it in a timely fashion. You can also report on devices that are compliant or not compliant with your policies.

Device compliance flows directly into another major security feature: Conditional access. You can withhold access to resources if a device is not compliant. This means that devices are forced to register and enroll themselves in the service, and become compliant with policy before gaining access to corporate data.

Security baselines

Microsoft recently announced something else that caught my attention. Security baseline policies built-in to Intune. This is a natural progression from the Security and Compliance Toolkit (SCT), which included some canned baseline GPO’s (and this is another good resource, by the way–check it out).

The baselines are something that Microsoft is promising to keep up to date with versioning, so that you can stay current with the recommended best practices and security configurations. Once you have your configuration profiles deployed, you can also see which devices match and do not match the configuration. So there is real value-add here, which we did not get with the traditional SCT kit.

Conclusions

In general, workers want to become less tethered and more mobile–they want the option to work remotely, etc. And it is happening whether we switch our management tools over or not. Wouldn’t you rather have a device managed than sitting out there in the ether, in its own workgroup? This is one reason I argue that corporate issued devices moving forward should be joined to Azure AD (not local AD) and managed via Intune, rather than Group Policy. Remember: Even in a hybrid environment, Azure AD joined computers can enjoy SSO to on-premises resources like file servers.

Now obviously Windows 10 has the best support and most levers available here, but Intune also supports iOS, Android and even macOS. So it can do things that a traditional Active Directory and Group Policy never could. This allows you to manage all of your devices in a similar way, with a single policy set.

Yes, I know there is some overlap in features/functionality between a traditional RMM and Intune. Both can generally be used to push updates, software packages, PowerShell scripts, etc. But I also do not see one displacing the other. Your RMM continues to provide a valuable service for your customers, at scale. Intune is, however, the next evolution of Group Policy and device management in the Microsoft cloud.

If you had to make Group Policy changes to 200 individual domains before, you still have to do the same here, and your RMM is not going anywhere because of that–it will continue to be your go-to for real time reporting and providing a high level of customer service and support to your end-users.

Opinion , , , 2 Comments
Share:

Comments (2)

  • Dylan Reply

    For hybrid AAD joined devices. Will their be policy conflicts?

    February 25, 2020 at 6:09 pm
    • Alex Reply

      It is conceivable, yes–so be mindful as you introduce new policies via the cloud. For example, if you have a GPO that enforces BitLocker or UAC, or something, and you want to replace that with a cloud equivalent policy, roll changes mindfully, unlinking policies on-prem or exempting users from those policies as the same users are rolled over to new policies in the cloud.

      February 26, 2020 at 10:15 am

Leave a Reply

Back to Blog

Related Posts

06Mar

Can OneDrive and SharePoint replace my file server? Probably, with Files On-Demand.

The real answer to this question is: it depends. But the shorter version is: probably. You'll just want to enable Files On-Demand first.* OneDrive has been great for personal files for a long time--I usually recommend clients start by replacing redirected "Documents" folders with OneDrive for... read more
19Sep

The Measure of Success

How do you measure success? In the world of consulting, we live and die by the billable hour. Utilization. But I haven't watched that metric for myself--ever. I've been told to, of course. But as with many conventions, I generally ignore it. These days, I'm lucky enough to... read more
22Feb

Azure Virtual Machines: Were you aware of the MAJOR caveat to their SLA?

I think this is important to many Azure customers, but very few seem to be aware of it.  So, I decided to record this caveat into a blog post, for future ease of reference. Most people think of the cloud as a great way to provide up-time to... read more
Hybrid Azure AD Join or not?
08Jul

Should I use Hybrid Azure AD Join or not?

I consulted with an MSP recently about one of their larger customers, and whether or not to implement Hybrid Azure AD Join for existing Windows workstations (joined to traditional Active Directory). The classic consultant answer of course is, "It depends." In certain cases, perhaps. But... read more
19Oct

Azure Virtual Network: What is the difference between Policy-based and Route-based VPN?

You want to configure a Site-to-Site (S2S) VPN tunnel from an on-premises hardware VPN device, such as your firewall, and an Azure Virtual Network. For this, you require several objects in Azure. One of those is a "virtual network gateway"--which is basically just a software... read more
21Mar

How to not be an idiot on the Internet

There was a really funny security article circulated a few years ago after the crypto-variant viruses first started becoming a widespread problem; I wish I could remember who had written it, and if I could find it again I would link to it here and give them due... read more
10Jan

Busting the myth behind Secure Score

For someone who writes so extensively on Microsoft / Office 365 products, especially with regard to security, I haven't said much about their Secure Score tool on this site yet. Probably I have mentioned it once or twice, but I haven't opined on it, officially. So... read more
Global Secure Access for the SMB
16Apr

Global Secure Access: Is it for the SMB?

A couple of months ago, I presented a session on Microsoft Entra's Global Secure Access (GSA), which is really two products under a single unifying banner. Image credit: Microsoft Almost nobody in the audience had heard of Global Secure Access before. Granted, it was (and still is)... read more
18Oct

Microsoft 365 Enterprise: What Windows 10 goodies are included that you don’t get with Pro/Business?

In this article, I wanted to highlight some of the key differences between Windows 10 editions, which are available through subscription in Microsoft 365 Enterprise SKU's. Small business admins and consultants are going to be interested in some, but not all, of these features. There... read more
18Jan

Certification vs. Qualification

I hold several certifications in my field of expertise: a number of Microsoft certifications, as well as Cisco, WatchGuard, IBM and other technologies.  Before all of that happened, I also earned my bachelor’s in mathematics and philosophy from University, as well as a shiny Master’s... read more

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.

Contact Me