Hi Guys, Gals, and Quadrupeds!
Once a year for my amazing firm I do an assessment of Intune. I think it’simportant to take a long/hard look at things and just because its Microsoft doesn’t mean its overpriced and bad. Honestly, it has come a long way. I will talk about the basic requirements every one of you should have for a MDM, the gaps from last year, and where it’s at this year. This is simply my expert opinion and it “may” have facts sprinkled in here and there.
The Mobility Baseline
You can carve up your baseline into a few key areas, which we will detail. Of course every company is different, but I will focus on a basic consensus. What I typically suggest is look at your current MDM and ask yourself three questions:
- What am I using today?
- What should I be using?
- What can’t I do that I wish I could?
Anyways, now that I provided some common sense we can move into the categories and show my baseline for a mobility vision.
I think this is really simple. You just need to decide, how much do I trust the Internet and what mitigating controls do I need to not feel so grossed out? The features that I believe are crucial to your enrollment strategy are:
- Restricting Enrollment to Device Types, Models. and OS versions
- Support to present a EULA to an enrolling device
- Ability to sign enrollment profiles
- A simple enrollment workflow that actual humans can use
- Secure authentication for enrollment
- Whitelist/Blacklist model
- Apple DEP Support
- Support for Corp and Employee-Owned Devices
Device management is fairly simple. What can compromise my company? What are the gaps? How do I achieve true DLP? (Check my blog on DLP!) These are some of the things that I suggest you look for:
- Seamlessly deploy restrictions profiles
- Instantaneous enterprise wipe or full device wipe
- Brick wall to ensure only corporate devices can be full device wiped
- Seamless support for certificate automation for VPN/WiFi/Email etc.
- Deploy Certificate Chains
- Deploying payloads for VPN/WiFi/ and whatever else you need
- Deploy trusted email and web domains
- Deploy payloads based on AD groups
- Flexible group creation similar to Exchange Dynamic DLs
- Supports a tiered management structure for reporting and overall management
- Basic administration functions (reset passcode/lock device/etc)
System Requirements is a weird one. It’s basically “stuff” that makes the engine run. Let’s face it no one wants to know how to sausage is made. They just want it to work. It’s amusing when you assume certain things should work, but many MDMs suck and don’t meet the base requirements sometimes. The system requirements that matter to me are:
- Supports standard LDAP and LDAP over the GAL Ports (3268/3269) along with certificate checking for LDAPs
- Works seamlessly with subdomains
- Basic/Advanced Analytics for Reporting
- Supports Role-Based Access Control
Application management is a tricky one. Many of you may have no use for it, but many companies are now building their own applications. Every company has different views on application development, but our focus is more on the management of those apps. My suggestions are:
- Supports a user-friendly App Store with company-branding
- Deploy applications based on group assignments
- Support for Apple’s VPP (Volume Purchasing Program)
- Supports Internal Apps
- Custom categories
- SDK Support for SSO/DLP/Analytics etc.
- Deploy Web Clips to devices
- Ability to update the yearly device signing profiles for iOS devices without needing to redeploy apps
Content Management used to be in a similar situation with App Management, but has quickly become the most important aspect of mobile devices with the focus on collaboration. A few of the things you should focus on are:
- Support for Office document management (potentially for both internal and external devices)
- Provide Offline Access
- Enforce DLP Controls for the applications, which must respect Secure Open-In
My Intune 2016 Review
In my Intune 2016 review, I found several red flags that were big failures:
- Enrollments are not possible if you require VPN for ADFS integration
- Limited certificate automation support (Only Supports SCEP)
- Limited Support for restricting devices (cannot block device types nor can you block specific users without removing their license)
- Web Domain and Email Domain Support does not exist (Highlighting external domains)
- Enterprise Wipes do not work for Outlook in current state
- Device Check-ins are very inconsistent
- Deploying changes to the environment take 30-60m in some cases (such as branding, new policies, etc)
- Issues with deploying email profiles
- ActiveSync needs to be opened externally coupled with Add/Block/Quarantine for all EAS devices
- No support for creating customized roles for admin accounts
- No support for accessing internal file shares
My Intune 2017 Review
I can honestly say that Intune has made some significant strides on their platform. Many of the gaps have been addressed today. The current gaps I’ve found are:
- Cannot restrict enrollments to a specific device (i.e. whitelisting serial numbers)
- No support for configuring the agent check-in interval (appears to happen once daily around midnight)
- Mail Profiles can only be deployed to the native mail account and do not support username (only UPN or email address for the username field)
- Email Proxy capabilities do not exist. It would require opening up ActiveSync/Proxying ActiveSync and using Exchange Add/Block/Quarantine
- No support for fine-grained compliance. Requires you to use specific AD groups for deployment
- Cannot update the yearly device signing certificate without redeploying an internal application
- No support for accessing internal NAS shares.
I believe that Intune has some great potential, but only if you are closely tied to the Microsoft stack in the cloud. My deep dive into the Intune platform has taught me that there is nothing more powerful than a full O365 environment with E5 licenses. With that, you can capitalize on conditional access powered by Intune compliance, the Azure cloud security stack, and so much more. Unless in non-Microsoft fashion, they decide to open up the Graph APIs to the different MDM vendors to tie in a MDM competitor’s compliance with the Azure stack then Microsoft will be a leader in this space within 2 years.