evaluating intune against workspace ONE UEM - mobile-jon.com

Evaluating Intune against Workspace ONE UEM

It’s been a few years since I have done an analysis of the Microsoft Offering against the top UEM platform on the market (Workspace ONE UEM). I thought it would be a good time as more of my clients are looking to make the move to Intune mainly based on cost.

We will look at a few key areas and highlight the main differences:

  • Mobile Device Management Features
  • Administration
  • Integration
  • Security
  • Application Management
  • Anayltics

Mobile Device Management

When I focus on mobile device management, I mainly look at the available profiles/configurations. As part of that, I will analyze the baseline support available and any “proprietary features”. Since Intune is the underdog, let’s discuss what you get out of Intune.

Intune’s MDM Highlights

Intune, which you could probably call Microsoft Endpoint Manager now since the portal is officially being retired in August has caught up to a degree. The main issue they have is they do not iterate quickly. This is a bit challenging, but it depends on what your use cases are. We will cover the different areas of MDM in the sections below: compliance, device enrollment, profile support, organization/grouping of devices, and more.

Device Enrollment

At the end of the day, enrollment is always where it starts. When it comes to Intune, one of my favorite things is how they designed most of the enrollment flow UI to be more people-centric. Even the initial screen is the most user-friendly one I’ve seen.

They are also doing a nice job when it comes to iOS user enrollment, which is significantly better than VMware at this point. VMware still hasn’t yet implemented iOS user enrollment into their agent aka Intelligent Hub, whereas Microsoft continues to do a nice job to integrate it into the flow.

Privacy is also a key part of the enrollment process in 2020, which honestly Microsoft sort of mails in. A bulleted list is an afterthought. It’s not something that actually makes users happy and the fact you can edit that list just makes it not that trustworthy to me.

Additionally, when you think about privacy it needs to mean something. You should be able to lock down privacy more than this. As an example, you should be able to configure your UEM product where no one can see the personal apps on someone’s device. Privacy cannot be ALL or NOTHING. It needs to be more customizable.

The thing that frustrated me most about this experience by far is this screen here below. It makes ZERO sense. I mean where is the DONE button?! I’m surprised at Microsoft here as this is just very lazy text that is mostly nonsensical.

I am continually shocked that none of these MDM vendors have yet to implement a button that takes you to the iOS settings app from the enrollment agent, because YES that code does exist. For those who are interested, this is a good article here about it.

Overall Thoughts on Intune Enrollments

Many of the issues I’ve seen over the years still exist with Intune enrollments. The main issue is that the device sync up to the Intune cloud is not immediate. It can take as long as 30 minutes for you to see Apps available, the device in the console, etc. This is a major issue and is part of the issue with the platform. Office 365 and its replication is a major issue regardless of the application.

I do believe that they do a nice job on the user experience, but there are still some “Debbie Downer” moments when it comes to enrollment. This is the first and last impression that users get and it just needs to be better.

debbie downer GIF

How does it stack up against Workspace ONE?

Workspace ONE does a great job on their device enrollment flow. One of the major areas they shine is on the privacy application and their rich user experience during enrollment. They also do a nice job of delivering customization of the process to make it fit a strong UX strategy.

Enroll an iOS Device in Mobile Device Management (Intelligent Hub ...

Intune Profile and Configuration Support

When I look at Intune, the biggest home run when it comes to profiles is that they group “features” and “restrictions” together better than their competitors. It’s simplistic design makes it much easier to deploy and build for administrators. That’s also a double-edged sword because people will be more likely to build these gigantic profiles instead of following UEM best practices.

For the most part, all of the iOS profiles exist with a few exceptions at the obscure level like global HTTP proxy, LDAP, CardDAV, etc. That’s not a huge deal to me. One thing that I don’t like is that you can only build custom XML profiles for iOS if you upload the mobileconfig files, which you built manually elsewhere. The ability to copy and paste XML is very useful, but clearly lacking here.

One thing that I do really like is when setting up profiles like WiFi, VPN, SSO, you don’t need to create a new credential payload. You just point the profile at the certificate profile you have already created. That is much cleaner and simpler to work with.

Android is a whole other conversation as they are largely missing a ton of profile options. As you can see, there aren’t many available, which could matter to you:

Overall Thoughts on Profiles

Profiles have a ton of good things about them on Intune. They make them much easier to work with and I think the admin experience is top notch. It’s organized logically and you aren’t working as hard. We have to call out the gaps though. Intune’s biggest hurdle is always speed. They are way too slow to introduce features. You will need to decide if you are willing to own the risk especially when new OS’ launch and you can’t support them like you once could. That could mean features, security, or a combination of the two.

Profiles are probably going to be the biggest source of frustration for administrators. Two major gaps that Intune has is (1) the inability to repush profiles and (2) profile updates take hours to actually apply. These items will always make this product subpar in my estimation.

How does Workspace ONE stack up on Profiles?!

This is a no-contest really. You can install, remove, repush profiles, and work through them very quickly. The biggest challenge is there is no way to force a full sync on all devices. I did write a workaround on this found here, but overall they do a nice job.

Additionally, they have a full suite of profiles and fully support custom XML for iOS. Their same-day support for new iOS can be addressed with a quick SQL seed script, which has been a huge benefit.

Device Compliance

Device Compliance is always a problem. The security specific items I will leave to a later post. If we focus on iOS, Intune only supports a few compliance items:

  • Email not setup
  • Jailbroken Devices
  • OS Version
  • Restricted Apps by App ID

That is a major issue. Other competing platforms have SIXTEEN different compliance options, whereas Intune has a very narrow scope to work with.

If we talk about the nice things, I do like that they have a non-compliant devices section where you can clear their state or retire them. This is another area where Intune’s biggest gap comes to light. The inability to repush stuff. It’s nice that they have a “clear selected device state” but one has to wonder how effective it actually is.

How Does Workspace ONE do with Compliance?

As mentioned above, Workspace ONE has a wide birth of compliance policy options, which is huge. Additionally, their Secure Email Gateway supports additional policies, such as whitelisting mail clients, versions, forcing attachment encryption and more. The compliance engine with WS1 UEM is a beast that many products integrate with directly, such as EDRs, NACs, and much more.

Grouping Devices

Intune groups and organizes devices non-hierarchically. Their concept is interesting, but possibly flawed to a degree. These tags are used to organize devices, which only apply to managed devices. One of the really nifty things about “Device Categories” is you can create Azure AD groups based off these tags for assignments.

Microsoft does a great job of flowing their entire ecosystem around their products and Intune is no different as it leverages Azure at its core to deliver some intriguing capabilities like this. My main issue with how its designed is there is no automation like in other platforms that will automatically categorize these devices. In my opinion, you should be able to do something like map these categories to an AD attribute to create something more compelling.

How does WS1 do with Grouping?

The grouping concepts are fairly straight forward in WS1 UEM. They use a hierarchy similar to AD and support grouping, which will look at user group membership and move devices within those containers with ease. They recently opened support for both enrollment and post-enrollment device movement.

Where does Intune Land in Mobile Device Management?

Intune has fixed many of their gaps that existed a few years ago. I think they are going in the right direction when it comes to the user experience, but there’s still some noticeable gaps. You need to meet certain base requirements, such as being able to re-push profiles, properly monitor devices through compliance, and offer more compelling enrollment experiences.

Today, Intune isn’t even close to the top platforms on the market. I think they can get there, but the Azure replication is definitely holding them back. The gaps that I bring up are all addressed by the other main players. From what I see at this point, I would give them a 6/10 on Mobile Device Management.

Administration

Intune administration is decent, but there are a few areas that create some significant friction, which we will highlight below:

Scope Tags

Like everything else, Intune supports roles, but if you only want people to be able to manage certain types of devices. I think the spirit of scope tags is good, but I have some issues with them.

The first thing I don’t like is how you have to apply a scope tag on every individual profile. I mean seriously why do I have to do this?! It’s pretty stupid. Okay, I get that you add scope tags to categories and have people choose them, but adding scope tags to profiles is way too confusing. They should take that out completely and rely on roles. It just has no logical place.

Assignments for Apps

This probably creates more annoyance and frustration for me than almost anything. Let’s look at the screen below. I mean seriously WTF?

Look we GET it! You’re really smart. We don’t need to beautiful mind app assignments. It’s really simple:

  1. Is the app automatic or do you go get it yourself?
  2. Is the app available for enrolled or user enrolled?

THAT’S ALL YOU NEED! The 4 sections here is complete nonsense. We don’t need to prove how smart we are. I wish they followed the simplicity like with configuration profiles because this is just asinine.

Deployment Speed

This is another item that kills me. I’m used to this as a Teams administrator, but on UEM it’s a major major problem. When you update profiles, apps, etc, it takes FOREVER to deploy. According to Microsoft, it can take up to 8 hours before someone receives updates.

This is a big problem especially when you have an issue or something needs to be handled quickly. As it turns out, your boss doesn’t have as much patience as Microsoft.

The Good Stuff

There is a ton to be liked about the administrator experience in Intune. The main one is you don’t need to be a global administrator anymore, which is nice. A quick list of the nice things would be:

  • Clean and simple UI that is much simpler and easier to navigate than its competitors
  • Access AAD from within the same console
  • Great Troubleshooting menu to look at issues
  • Open tickets from the Intune console
  • Automation for deleting devices that aren’t checking in
  • Similar look and feel to other parts of Azure
  • Sending Customized Notifications

Overall I think its a good admin experience, but it suffers from many of the same issues that it always has. I would score the admin experience at 7/10.

How does WS1 do with Administration?

The AD-like hierarchy is a huge benefit for administration. You can use those org groups to deliver RBAC easily and entirely powered by its AD integration. By adding admins to various AD groups, it will automatically provision accounts and provide access. Sadly, one gap is that you need to configure MFA still, but overall its solid.

Administration has always been a strong suit here with a rich UI and straight forward navigation. They can always improve a bit on some of the basics, but overall it works well. One criticism could be that the flow of customization and configuration is a bit tedious. Additionally, they have moved many of the installers to the VMware resource portal, which requires additional firewall rules during upgrades to pull down installers.

Most of the complaints are nonsense ones, but they’re still valid. I think with some of the changes they have planned in late 2020 that their admin experience is going to be amazing.

Integration

One of the things that I gave AirWatch/Workspace ONE credit for since I started using them was knowing their strengths. Intune has shifted focus on integrations and they have made them very easy.

I was impressed to see how far they came in regards to integrations. They make it super simple to implement your Mobile Threat Defense (MTD) product as you can see below:

Intune supports what they call “Cross Platform” in several areas, such as:

  • MTD
  • Jamf integration for MacOS Management
  • TeamViewer for remote support
  • Telecom Expense Management
  • NAC

This graphic is a great example of how the Intune ecosystem works especially within integrations below. Overall I give Intune’s integration an 8/10:

High-level architectural diagram for Microsoft Intune

Integration Gaps

I think Intune does a great job on integrations, but I do have an issue with a few of the gaps they have.

My top one is the lack of syslog integration. As you can see in this article here, you need a few Azure products to try to get data into a SIEM like Splunk. I know that is how Microsoft operates, but I still think its a big miss.

A very close second is the lack of WS1 UEM integration with Intune still. Microsoft decided to do it with JAMF already so there is zero excuse that this isn’t done yet. Let’s just accept that some companies like to use WS1 and get it done. I love the fact they have it with JAMF so it’s time to make it happen.

Is WS1 the Champion of Integration?

Intune copied VMware with their integration approach. VMware has been a brilliant collaborator starting groups like appconfig, the zero trust network, and much more. The integrations aren’t too painful, which typically revolve around generating an API account and API key to build a trust between a 3rd party application and WS1.

The simplistic nature of their integrations means companies can very quickly and easily ramp up integrations, such as the strong partnerships with companies like Cisco, Okta, Ping, and much more. Integrations deliver tons of value, but sometimes it makes your ROI take a hit. We must always realize that we should focus on the right tool for the job instead of the flashy workbench.

taste of chicago GIF

Security

Security and Intune are an interesting conversation. We know that the big issue that Intune has involves timing and speed. Device health and security are not real-time with Intune. Microsoft acknowledged that with their heavy support into several MTDs: Lookout, SEP, Check Point, Zimperium, Pradeo, BETTER, Sophos, and Wandera. That is a great piece of self-awareness.

Conditional Access

Conditional Access is 90% of the time the reason why people use Intune. Their conditional access engine is unquestionably top notch.

What is Conditional Access in Azure Active Directory? | Microsoft Docs

Basically conditional access works like this:

  • A set of Users or Groups
  • A set of Apps or the “Register Security Information” action
  • Conditions (Device Platforms, Locations, whether it applies to Browser or Thick Clients), and Device State (Azure AD Joined, Compliant Devices)

Based on a device matching that criteria, you can require certain actions to grant access:

  • Require MFA
  • Require Device to be Compliant
  • Require Hybrid Azure AD Join
  • Require to be an Approved Client App
  • Require MAM Policy

You can control session access in a few ways:

  • Block Downloads
  • Control how often the user has to re-authenticate

Conditional Access is a great feature that they continue to augment, which I believe makes Intune relevant and a major player with our significant reliance on Office apps in the enterprise today.

Other Security Aspects to Intune

Intune offers many of the typical security benefits that you would expect, such as device type restrictions, OS update profiles, and other platform values like Windows ATP integration for Windows 10. The security overall is great with the exception of substandard security found on the mobile agent and how often it checks on compliance.

Monitor Windows Defender status for Intune MDM enrolled devices

You will find that the majority of their security implementation is for Windows/MacOS and their ATP product which makes sense strategically, but from an overall UEM perspective is a bit challenging. I consider their offering for security to be a 8/10 (which I would give a 9.5 if it wasn’t for the weak compliance).

Security in Workspace ONE

VMware has a strong position to crush it in security. Their EUC suite integrates so nicely together that it lets you build a secure end-to-end solution. You can capitalize on investments like NSX and Horizon to provide the exact access provided devices are trusted and secure.

VMware continues to focus heavily on security as they continue to add on DoD certifications, TLS 1.3 in their latest UAG release, and a powerful story around addressing secure use cases through acquisitions like Carbon Black.

Application Management

They have done a great job with application management on Intune. It gives you everything really, which we will do it justice with some screenshots.

Managed App Config

You can see App Config does its job nicely giving you a nice experience. One thing that I love is how it shows you the config keys that your choices created:

MAM Policies

MAM Policies are done very nicely as they have been for quite awhile. A few screenshots below highlight some of the cool stuff e.g. you can only access Outlook when your MTD rating is at Low. That is something I LOVE!

MAM Policies are just a fantastic thing, which tells a great story as we strive toward separating user and company data. When we tell our story to our clients about DLP this is where it begins and ends regardless if you use Intune or Hello Kitty Island Adventure Device Management.

hello kitty GIF

Policy Sets

I like putting Policy Sets in here also because they’re neat. Intune created basically buckets that you can use to deploy a bunch of stuff to. This lets you say “give everyone in our Boston office, the office apps, with the office app config policies, and protection policies” and scope it to “Boston Support” or something like that.

Summarizing Applications on Intune

Policy Sets I will admit are a nice and clean upgrade over the status quo from Intune. It’s probably the first thing that really surprised me because it’s a differentiation. I can say this is the one area where I cannot complain. With that, I gladly give the application support in Intune a 10/10.

Is Workspace ONE Strong Enough on Apps?

It pains me to say this is the one black eye they have right now. We have been promised for 2+ years they would have the Intune Conditional Access integration that little ol’ JAMF now has. This is an absolute must and almost makes your application story an epic fail without it.

With that said, the Intelligent Hub is finally that application catalog we have been dying for. Their application deployments, configuration, and intuitiveness are fantastic. It’s a strong story that they continue to build on with their Intelligence platform.

The best thing they have going for them right now are Mobile Flows, which lets you simplify your approvals and integrate application functionality directly into applications. It comes at a cost, but many companies are loving that right now with things like approving WorkDay, ServiceNow, and Jira requests from a single unified application.

Analytics and Reporting

Intune Reporting is similar to other services. Their reporting is powered by PowerBI, but it’s nice that they let you ingest the OData feed with their product called Intune Data Warehouse. An example dashboard can be seen below:

The Intune Data Warehouse: enabling deeper reporting capabilities ...

They also have this nice little device compliance dashboard that I like:

The last part of reporting that I want to mention is a new feature called endpoint analytics which is a Nexthink-like feature that will evaluate your devices for places to improve and enhance them. This is something I am going to be evaluating and looking at, but it’s very new and not quite where I need it to be yet.

I’m very excited for its potential and I think this will be good. I’d say reporting wise they are about 8/10 and doing all of the things they should be doing to give you powerful intelligence to manage a large fleet of devices.

Intelli-what?!

Workspace ONE Intelligence continues to be a work in progress. They have been growing it out piece-by-piece. Their investments have been strong to deliver application monitoring, IFTTT standards, and a strong reporting story. Luckily, they have moved away from SSRS and toward a quicker and nimbler reporting architecture.

The strength in their reporting story couples nicely with sensors, which provide true customization of your windows environment. WS1 Intelligence is truly a platform that is strong as you make it, which can be a challenge for some engineers. Only the strongest can make it something special.

My Overall Assessment of Intune

When assessing a product, I don’t bring up everything. I didn’t cover the certificate connectors, Azure AD, or any of that. That’s its own thing entirely. I think that Intune has some significant challenges without question.

The top concern that I have with Intune in a platform can be summed up in a few bullet points:

  • Very difficult to support/troubleshoot based on its design
  • Not a Just-in-Time or real-time management platform

At the end of the day, it’s about setting expectations. Intune is not a full suite of collaboration and unified endpoint management, but it is a very solid MDM product. It has its gaps, but let’s be honest you likely are getting it for free. If you are willing and able to set expectations and be self-aware, it can work well for your organization.

Intune should not be deployed without certain considerations. All companies MUST have a MTD if you are going to deploy Intune. You should also be willing to commit money to Azure Log Analytics/PowerBI to have the reporting and tools needed to be successful.

A compelling story with Intune can be built centered around application customization, conditional access, and the overall ecosystem you are enabling. Nothing is perfect and everything has gaps, but a strong team and creativity will be the tools needed to succeed in the end.

4 thoughts on “Evaluating Intune against Workspace ONE UEM”

  1. Regarding Intune’s “Significantly better” enrollment. MS requiring the user to install an agent to start an enroll from the personal side of the device is breaking the privacy fundamentals Apple’s User Enrollment (UE) is there to protect. VMware is doing it right by not having UE enrollment built into the agent as you should be initiating an enrollment via the MDM host server website with the MDM agent installed/pushed as part of the managed business app push into the inflated business zone on the device, no business apps should ever exist on the personal/unmanaged side of the device. UE does not allow existing personal apps to become managed like the older device management approach.

    1. Thanks for your response. When I talk about how it’s better, I’m referring to the user experience and not needing to memorize a URL which just isn’t a great UX. Speaking in generalities, you’re right that having to install the Intune Company Portal doesn’t make people feel like their privacy is protected, but that isn’t 100% true. The agent requirement isn’t written into the spirit of what iOS User Enrollment touts. Stuff like clearing the passcode, wiping the device, seeing the user’s installed apps, etc are the true spirit of iOS user enrollment. It’s not that different than needing to install the Intelligent Hub to do an Android Enterprise enrollment. Again, I agree that it’s a poor choice by Microsoft, but I think we can all admit that Microsoft takes a lot longer to fully adopt functionality.

  2. Very nice Article! Explains a lot. How was your experience, in terms of VMware vs Intune, with the Blocking of Android Manufacturers and allowing only few ? I agree Replication delays are big issues and I do not know if it ever gets resolved, we are hearing this word since I started my career 20 years ago 🙂

    1. I’m not a huge fan of how you restrict manufacturers on Intune as they expect you to type a comma-delimited list which isn’t particularly good or useful. It’s a bit lazy if I’m being honest. It’s significantly easier in WS1, as you can build policies and select from a large list. The one issue with WS1 UEM’s IFTTT model is you need to create rules per vendor. I typically whitelist only a few android vendors e.g. Samsung, LG, Google as they support more controls than others.

Leave a Reply

Scroll to Top
%d bloggers like this: