7 Lessons From The Intune Pros

Since Intune manages the entire lifecycle of such a broad array of hardware, it’s easy to assume it can do everything for every device. eGroup | Enabling Technologies’ field engineers deal with real-world challenges every day that push the boundaries. Recently, experts from eGroup | Enabling Technologies’ Intune practice discussed common issues and how to overcome them. Among other things, they shared lessons about policy assignment, Apple certificate expiration, hybrid Entra ID join, and Autopilot zero-touch deployment. Read or watch (below) their commentary for some key takeaways—there’s something for every stage of maturity.

Lesson 1: Planning for Policy Assignment

One of the major decisions to make in the planning phase is about how to assign device or application policies. A policy is a set of security and configuration settings that you then assign to a user or device.

Usually, organizations set up policies for company-owned devices (Windows, MacOS), such as BYOD Android, BYOD iOS, and sometimes company-owned Android or iOS.

In fact, the following kinds of policies can be created and assigned to users or groups.

  • App Protection Policies
  • App Configuration Policies
  • Compliance Policies
  • Conditional Access Policies
  • Device Configuration Profiles
  • Enrollment Policies

 

Decide early on whether to assign policies by user or by group. Intune does not play well when you mix or match, and there may be conflicts. Conflicts can happen when different policies are applied to the same device but with different settings. For example, two policies may have different settings for the app copy/paste setting. Decide on standard configurations to minimize conflicting settings.

Lesson 2: Setting Expectations About Autopilot

Autopilot can enable zero-touch deployments in the right situation. If the user device will only be joined to Entra ID (fka Azure AD), then a zero-touch deployment is feasible. The OEM hardware provider (Dell, HP, Microsoft) can inject their hardware hashes into Intune automatically upon purchase, and then direct-ship the PC to a new person’s home office.

But if the device needs to hybrid join with the on-premises Active Directory, or if Group Policy (GPO) settings are applied, then line of sight (LAN/intranet) access to a Domain Controller is necessary.  

Of course, it’s possible to mix and match based on the user and device needs. The key is getting the Autopilot profile setup right, assigning it to the right users or groups, and ensuring the app policies are configured correctly. Take a step back and evaluate if your end goal and your requirements can match.

Lesson 3: Challenge Conventions

Intune doesn’t deliver all of the conventional settings of Active Directory GPOs, which were invented in Windows 2000. Microsoft continues to work on the GPO Analyzer to (in theory) translate old rules into new settings. However, it’s more prudent to challenge common assumptions and start with a clean slate.

Want to move much faster with Intune? Organizations who do think of, “How can we use Intune’s settings to adequately secure and manage these devices?” move much faster and more efficiently than those thinking, “How can we get all these GPOs into Intune?”.

Credit to Lewis Barry for this appropriate meme.

Lesson 4: Phish-Proof User Identities with Intune

While Intune is primarily focused on device management and security, it plays a role in preventing phishing attacks by enforcing device compliance policies. Here’s how:

  • Conditional Access Policies: Intune allows administrators to set up conditional access policies. These policies can require devices to meet certain compliance criteria before granting access to corporate resources such as email or company apps. Phishing attacks often target email and apps, so by ensuring that only compliant devices can access these resources, you reduce the attack surface for phishing attempts. See our blog post: MFA is (Unconditionally) Not Enough.
  • Device Health Attestation: Intune can assess the health of devices by checking for compliance with various security policies, including the presence of up-to-date antivirus software, encryption settings, and operating system updates. If a device doesn’t meet these criteria, access to corporate resources can be restricted. This helps protect against phishing attacks that might originate from compromised or vulnerable devices.
  • App Protection Policies: Intune enables administrators to configure app protection policies that can prevent data leakage from corporate apps. For example, you can restrict the ability to copy and paste sensitive data from a corporate email app into a personal, unsecured email app. This helps prevent users from inadvertently sharing sensitive information in response to phishing emails.

Lesson 5: Expiring Certificates

Another common issue is that settings made in piloting or testing are overlooked or forgotten once in full production. An example is APNs certificate expiration or misconfiguration. Intune uses the Apple Push Notification service to communicate securely to your enrolled iOS devices, after a certificate is installed in Intune. An engineer originally piloting Intune or just dipping their toe in, may set APNs up with a personal account. If they overlook the expiration, and the certificate expires or was misconfigured, it’s necessary to reconfigure or contact Apple support to rectify the situation.

Set up notifications to be alerted when a certificate is about to expire. If it expires, devices won’t check in. While 30-day grace periods may be advertised, that’s been found to be shorter. Learn more about APNs troubleshooting below.

Lesson 6: Troubleshooting Tool

You can use the built-in troubleshooting feature to review different compliance and configuration statuses. For instance, entering in a user’s UPN will quickly show if they’re licensed or not, or if there are other issues. This is especially helpful if using the group-based licensing model.

Other Intune troubleshooting resources are available.

Lesson 7: Patching Apps

Intune is excellent at managing and patching:

  • Operating Systems
  • Microsoft 365 Apps
  • Third-Party applications that are in the Microsoft Store

What about line of business (LOB) apps, or Win32 apps, that aren’t in the store? If the app requires supersedence (wiping then replacing or upgrading one version with another), only advanced Intune administrators will be successful. Such brave folks do the prework ahead of time to package the app, download the tools, and the steps involved with supersedence.

Off-the-shelf tools like Patch My PC are purpose-built for such apps, and Microsoft has mentioned an upcoming capability within the Intune Suite add-on SKU to manage such apps. Another interesting feature of the Intune Suite is Endpoint Privileged Management, which allows users to run as a standard user (without administrator rights), but still complete tasks that require elevated privileges.

Full Details can be found in the video below. If you have any suggestions for what our experts should cover next time, give us a shout!

New Capabilities from Intune Just Released!

Mobile App Management for Windows is now generally available. You can now enable protected MAM access to organization data via Microsoft Edge on personal Windows devices. Intune Mobile Application Management (MAM) for Windows is available for Windows 11, build 10.0.22621 (22H2) or later.

Intune integration with the Zebra Lifeguard Over-the-Air service is generally available, to allow delivery of OS updates and security patches over-the-air to eligible Zebra devices that are enrolled with Intune. You can select the firmware version you want to deploy, set a schedule, and stagger update downloads and installs. This integration is now generally available for Android Enterprise Dedicated and Fully Managed Zebra devices that are running Android 8 or later, and requires an account with Zebra, as well as Intune Plan 2, or Microsoft Intune Suite.

The Remote Help web app now allows users to connect to macOS devices and join a view-only remote assistance session. Intune Suite or Remote Help licensing is required.

Since Apple released iOS/iPadOS version 17, the minimum version now supported by Intune is iOS/iPadOS 15.x.

Group Policy analytics is generally available (GA). Use Group Policy analytics to analyze your on-premises group policy objects (GPOs) for their migration to Intune policy settings.

Chris Stegh

Chris Stegh

CTO & VP if Strategy - eGroup | Enabling Technologies

Interested In Learning More About Intune?

Contact our team of experts to discuss the specific needs of your organization!

Last updated on October 11th, 2023 at 04:33 pm