Microsoft Intune is a cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM).
You control how your organisation’s devices are used, including mobile phones, tablets, and laptops. You can also configure specific policies to control applications. For example, you can prevent emails from being sent to people outside your organisation. Intune also allows people in your organisation to use their personal devices for school or work. On personal devices, Intune helps make sure your organisation's data stays protected and can isolate organisation data from personal data.
Intune is also included as part of Microsoft's Enterprise Mobility + Security (EMS) suite
. Intune integrates with Azure Active Directory (Azure AD) to control who has access and what they can access. It also integrates with Azure Information Protection for data protection. It can be used with the Microsoft 365 suite of products. For example, you can deploy Microsoft Teams, OneNote, and other Microsoft 365 apps to devices. This feature enables people in your organisation to be productive on all of their devices while keeping your organisation’s information protected with the policies you create.
With Intune, you can:
Choose to be 100% cloud with Intune, or be co-managed with Configuration Manager and Intune.
Set rules and configure settings on personal and organisation-owned devices to access data and networks.
Deploy and authenticate apps on devices, on-premises and mobile.
Protect your company information by controlling the way users access and share information.
Be sure devices and apps are compliant with your security requirements.
In Intune, you manage devices using an approach that's right for you. For organisation-owned devices, you may want full control over the devices, including settings, features, and security. In this approach, devices and users of these devices "enroll" in Intune. Once enrolled, they receive your rules and settings through policies configured in Intune. For example, you can set password and PIN requirements, create a VPN connection, set up threat protection, and more.
For personal devices, or bring-your-own devices (BYOD), users may not want their organisation administrators to have full control. In this approach, give users options. For example, users enroll their devices if they want full access to your organisation's resources. Or, if these users only want access to email or Microsoft Teams, then use app protection policies that require multi-factor authentication (MFA) to use these apps.
When devices are enrolled and managed in Intune, administrators can:
See the devices enrolled and get an inventory of devices accessing organisation resources.
Configure devices, so they meet your security and health standards. For example, you probably want to block jailbroken devices.
Push certificates to devices so users can easily access your Wi-Fi network or use a VPN to connect to your network.
See reports on users and devices compliance.
Remove organisation data if a device is lost, stolen, or not used anymore.
What is device enrollment?
Apply features and settings on your devices using device profiles
Protect devices with Microsoft Intune
Try the interactive guide
The Manage devices with Microsoft Endpoint Manager interactive guide steps you through the Microsoft Endpoint Manager admin center to show you how to manage and protect mobile and desktop applications.
Mobile application management (MAM) in Intune is designed to protect organisation data at the application level, including custom apps and store apps. App management can be used on organisation-owned devices and personal devices.
When apps are managed in Intune, administrators can:
Add and assign mobile apps to user groups and devices, including users in specific groups, devices in specific groups, and more.
Configure apps to start or run with specific settings enabled and update existing apps already on the device.
See reports on which apps are used and track their usage.
Do a selective wipe by removing only organisation data from apps.
One way that Intune provides mobile app security is through app protection policies. App protection policies:
Use Azure AD identity to isolate organisation data from personal data. So personal information is isolated from organisational IT awareness. Data accessed using organisation credentials are given additional security protection.
Help secure access on personal devices by restricting actions users can take, such as copy-and-paste, save, and view.
Can be created and deployed on devices that are enrolled in Intune, enrolled in another MDM service, or not enrolled in any MDM service. On enrolled devices, app protection policies can add an extra layer of protection.
For example, a user signs in to a device with their organisation credentials. Their organisation identity allows access to data that's denied to their personal identity. As that organisation data is used, app protection policies control how the data is saved and shared. When users sign in with their personal identity, those same protections aren't applied. In this way, IT has control of organisation data, while end users maintain control and privacy over their personal data.
You can also use Intune with the other services in EMS. This feature provides your organisation's mobile app security beyond what's included with the operating system and any apps. Apps managed with EMS have access to a broader set of mobile app and data protection features.
Compliance and conditional access
Intune integrates with Azure AD to enable a broad set of access control scenarios. For example, require mobile devices be compliant with organisation standards defined in Intune before accessing network resources, such as email or SharePoint. Likewise, you can lock down services, so they're only available to a specific set of mobile apps. For example, you can lock down Exchange Online, so it's only accessed by Outlook or Outlook Mobile.