Guide to Microsoft Mobile Device Management

In the past, companies used a configuration management tool to manage and protect data on their devices, as most employees worked on devices provided and owned by their employer.

The current trend is shifting toward a more hybrid and flexible approach: BYOD. It means “Bring Your Own Device.” In this arrangement, employees have the flexibility to use their personal devices for work, either at home or office.

‍

However, this trend has made it challenging to protect data over different mobile devices that run on various operating systems. Companies using the Microsoft Configuration Manager are limited to managing only Windows, macOS, and Windows Server devices. 

‍

Microsoft launched a product called Microsoft Intune to solve this problem. Using Intune, IT administrators can manage laptops, tablets, and smartphones running on the mainstream operating systems, namely, Android, iOS/iPadOS, macOS, and Windows.

This article is your guide to Microsoft Mobile Device Management. You will learn how Microsoft’s Mobile Device Management ecosystem works, its features, and how you can deploy it in your business.

‍

What is Microsoft mobile device management?

Microsoft offers a suite of solutions and technology to companies for remotely managing, accessing, and protecting the data stored in organization-owned and employee-owned devices. This practice of managing devices and data is called Mobile Device Management (MDM).

‍

Microsoft Endpoint Manager (MEM) is a part of the Microsoft 365 services stack, and under the MEM branding, you get the Configuration Manager and Intune subscription. These two platforms give you complete control over your data on any device that is accessing your company’s data — be it company-owned or employee-owned. Besides Endpoint Manager, you also need an Azure Active Directory (Azure AD) subscription to store user/employee data. 

Endpoint Manager will fetch and verify this data from Azure AD before letting users access your company network.

‍

Endpoint Manager, Intune, and Azure Active Directory are cloud-native solutions. However, note that Microsoft has provisions for making an on-premise active directory and an on-premise configuration manager work with Intune — if you are interested in that.

‍

Intune also has Mobile Application Management (MAM) capabilities, allowing IT managers to access, update, troubleshoot, and manage individual applications on users' devices. 

MDM + MAM benefits employees as well. For example, they don't have to worry about accidentally breaching your company policies or updating apps manually.

‍

Together with Microsoft MDM and MAM, organizations get complete control over company data stored in organization-owned and employee-owned devices without compromising employees' privacy. 

What is Microsoft mobile device management used for? 

MDM services let you create security policies that dictate a device’s behavior when accessing sensitive company data. These policies dictate how users can sign in to your company portal (website or application) and what they can and can't do after signing in. If an employee wishes to bring their own device to work, they will have to accept these policies.

‍

Here are a few use cases of mobile device management: 

• Restricting access to wi-fi networks. You can necessitate employees to access the company portal only through wi-fi or VPN networks on your organization's premises. You can also restrict access to the organization portal with public networks as they are vulnerable to hacking. 
• Wiping data. IT administrators can completely wipe a device by restoring it to factory defaults or selectively wipe corporate data. This action can be taken remotely in case the device is lost or stolen or an employee leaves the organization. 
• Updating data. Intune MAM allows the publishing of in-house and line-of-business apps in the company portal. Once employees enroll for mobile device management, IT administrators can push, update, selectively wipe, configure, secure and monitor these applications.
• Protecting data. Besides wiping data on-demand, Intune equips you with other tools and methods to protect data. 

‍

Some examples of protecting data include:

• Allow only conditional access to sensitive data
• Restrict users from exporting company data to personal storage devices
• Set up strict security policies to protect data, such as barring people from sending emails to people outside the organization
• Integrate a mobile threat defense application that constantly scans for vulnerabilities across your networks and user applications 
• Block the use of the camera on-premises
• Restrict users located outside the organization building from connecting to wifi networks
• Block malicious apps from downloading
• Restrict jail-broken devices from your network
• Assign role-based access control to IT administrators in the Endpoint Manager console
• Set up the requirement for multi-factor authentication for certain actions

‍

Additionally, you can prevent data loss by creating policies that instruct Intune to save data automatically on a cloud or your organization's central server. You can also unauthorize employees to delete sensitive data. 

‍

Microsoft mobile device management features

Here are the features of the Microsoft mobile device management solution: 

‍

• Mobile Management Made simple with Intune. Intune supports all major operating systems available in the market. It can manage phones, tablets, laptops, and PCs across the major OS software in the market. From a single administrative space (Endpoint Manager), you can categorize users and groups for easy management - no matter how large your organization is.
• Co-management and Tenant Attach options. Co-management and Tenant Attach features are meant for organizations that already use on-premise configuration managers and either want to migrate completely to Microsoft's services slowly or not at all. With Co-management, you can use Intune and on-premise configuration manager to share MDM workloads. This setup is great for BYOD environments as using a configuration manager by itself can limit the number of devices you can manage. For instance, Microsoft Configuration Manager supports only Windows, macOS, and Windows Server-based on-premises devices. You can also enable Tenant Attach functionality to control your on-premise configuration manager remotely with the Microsoft Endpoint Manager.
• Integrates with secure-and-protect services. On top of integrating Microsoft Defender and Windows Defender to your MDM ecosystem, you can connect a third-party mobile threat defense system to enhance security. 

How to manage devices with Microsoft MDM

Whether you want to build your MDM ecosystem from the ground up or already have an on-premise MDM service in place, you have several options to migrate to Microsoft MDM.

‍

If you already have systems in place, you can choose from 4 options: 

• Add Tenant Attach. If you are managing devices with an on-premise configuration manager, you can enable Tenant Attach functionality in Endpoint Manager to control the on-premise configuration manager remotely.
• Set up Co-management. Share workload between your on-premise control manager and Intune. Recommended for companies that want to transition to a BYOD model.
• Move from configuration manager to Intune. Recommended if most user devices run on Windows OS. Not so good for the BYOD ecosystem
•  Start from scratch with Microsoft 365 and Intune. Suppose most client devices in your organization's ecosystem run on Windows. In that case you can deploy Microsoft 365 to take full advantage of the full suite of Microsoft products and services, such as Office 365 and cloud storage, and integrate it with Intune.

‍

If you are deploying MDM from scratch, you have these two straightforward options:

• Intune + Endpoint Manager. The whole MDM system will be cloud-native. Devices can be managed remotely. It’s great for BYOD.
• Configuration Manager + Endpoint Manager. Combine your on-premise configuration manager with the cloud-native Endpoint Manager.

Set up Microsoft Intune 

Intune and Configuration Manager are sold under the Microsoft Endpoint Manager brand, which is included with Microsoft 365 solutions. Therefore, to deploy Intune, you need any of the following licenses: 

• Microsoft 365 E5
• Microsoft 365 E3
• Enterprise Mobility + Security E5
• Enterprise Mobility + Security E3
• Microsoft 365 Business Premium
• Microsoft 365 F1
• Microsoft 365 F3
• Microsoft 365 Government G5
• Microsoft 365 Government G3
• Microsoft 365 Education A5
• Microsoft 365 Education A3

‍

The next step would be to sign in to Endpoint Manager and sign up for Intune. 

‍

Then follow these steps: 

1. Configure your company's domain name with Intune. 
2. Add users or groups, or sync Active Directory with Intune. 
3. Assign licenses to users and employees so that they can enroll with Intune if they wish.
4. Assign authority to Intune or Configuration Manager for mobile device management.
5. Add apps that you want to push and manage on users’ devices. 
6. Configure devices to determine what users can and can't do using their devices after enrolling in Intune. 
7. Customize the company portal that your users will access for enrolling devices and installing apps. 
8. Enable device enrollment through the portal.
9. Configure policies to prevent data leakage and deletion. 

Enroll devices 

For BYOD workplace ecosystems, Intune needs to be set as the MDM authority. Intune can enroll employee and organization-owned devices. Intune supports Windows, iOS, macOS, and Android platforms. Check out this list of supported platforms and their respective versions. 

‍

Your users need to be registered with Azure AD. 

‍

Here are guides on obtaining licenses for various devices and enrolling them in Intune:

• Android
• iOS/iPadOS
• macOS
• Windows

Manage devices and apps 

IT administrators can manage devices through the Microsoft Endpoint Manager. Here, they can perform actions including: 

• Wipe data
• Restart a device
• See a device owner's name
• Locate a device
• Synchronize a device
• Update a cellular data plan

‍

Here is the full list of actions you can perform.

‍

Intune has mobile application management capabilities that allow administrators to push, configure, protect, and manage apps on enrolled devices. 

‍

Start with adding the apps you wish to manage in Intune. Next, create policies for the apps to ensure data protection. Intune’s console shows the install and vulnerability status of the apps. Here is the Microsoft guide on managing apps with Intune. 

Educate your users 

Your employees may not fully understand how mobile device management for BYOD works. The invasion of privacy can concern employees. 

‍

Educating the end-users about what Intune can and can't see on their personal devices can enhance the user experience and compliance. For example, Intune doesn't have access to personal data like photos, text messages, emails, calling, web history, files, or any unmanaged app inventory. On the other hand, IT administrators can see a device model name, its manufacturer, the device owner's name, and manage app inventory. 

‍

You can share this document about what Intune can access on a device with your employees and let them choose whether they wish to enroll their personal devices or not. 

‍

If they wish to enroll, they will find these video device enrollment guides extremely helpful. 

‍

After enrolling, your employees can take the help of the following guides to download apps from the company portal and enjoy the convenience offered by the BYOD model: 

• How Windows users can get apps
• How Android users can get apps
• How iOS/iPadOS users can get apps

‍

Need to check a device? Get a detailed history report from Phonecheck

Leaking sensitive organizational information can jeopardize a person’s career prospects. Therefore, when buying or selling an old phone, you can ensure confidence by checking that the phone has been completely wiped and is in factory conditions.

‍

A Phonecheck report can be used to ascertain whether the device has been securely wiped and restored to factory settings. You don’t want to buy a device still enrolled with MDM software.

‍

Phonecheck offers a complete mobile device processing solution that checks if a device is unlocked, has been reported lost or stolen, has a healthy battery, has been repaired, or has a blacklisted status, among other things. Resellers can buy and sell old phones with confidence with Phonecheck Certification.

‍