In the past, companies used a configuration management tool to manage and protect data on their devices, as most employees worked on devices provided and owned by their employer.
The current trend is shifting toward a more hybrid and flexible approach: BYOD. It means “Bring Your Own Device.” In this arrangement, employees have the flexibility to use their personal devices for work, either at home or office.
However, this trend has made it challenging to protect data over different mobile devices that run on various operating systems. Companies using the Microsoft Configuration Manager are limited to managing only Windows, macOS, and Windows Server devices.
Microsoft launched a product called Microsoft Intune to solve this problem. Using Intune, IT administrators can manage laptops, tablets, and smartphones running on the mainstream operating systems, namely, Android, iOS/iPadOS, macOS, and Windows.
This article is your guide to Microsoft Mobile Device Management. You will learn how Microsoft’s Mobile Device Management ecosystem works, its features, and how you can deploy it in your business.
Microsoft offers a suite of solutions and technology to companies for remotely managing, accessing, and protecting the data stored in organization-owned and employee-owned devices. This practice of managing devices and data is called Mobile Device Management (MDM).
Microsoft Endpoint Manager (MEM) is a part of the Microsoft 365 services stack, and under the MEM branding, you get the Configuration Manager and Intune subscription. These two platforms give you complete control over your data on any device that is accessing your company’s data — be it company-owned or employee-owned. Besides Endpoint Manager, you also need an Azure Active Directory (Azure AD) subscription to store user/employee data.
Endpoint Manager will fetch and verify this data from Azure AD before letting users access your company network.
Endpoint Manager, Intune, and Azure Active Directory are cloud-native solutions. However, note that Microsoft has provisions for making an on-premise active directory and an on-premise configuration manager work with Intune — if you are interested in that.
Intune also has Mobile Application Management (MAM) capabilities, allowing IT managers to access, update, troubleshoot, and manage individual applications on users' devices.
MDM + MAM benefits employees as well. For example, they don't have to worry about accidentally breaching your company policies or updating apps manually.
Together with Microsoft MDM and MAM, organizations get complete control over company data stored in organization-owned and employee-owned devices without compromising employees' privacy.
MDM services let you create security policies that dictate a device’s behavior when accessing sensitive company data. These policies dictate how users can sign in to your company portal (website or application) and what they can and can't do after signing in. If an employee wishes to bring their own device to work, they will have to accept these policies.
Here are a few use cases of mobile device management:
Some examples of protecting data include:
Additionally, you can prevent data loss by creating policies that instruct Intune to save data automatically on a cloud or your organization's central server. You can also unauthorize employees to delete sensitive data.
Here are the features of the Microsoft mobile device management solution:
Whether you want to build your MDM ecosystem from the ground up or already have an on-premise MDM service in place, you have several options to migrate to Microsoft MDM.
If you already have systems in place, you can choose from 4 options:
If you are deploying MDM from scratch, you have these two straightforward options:
Intune and Configuration Manager are sold under the Microsoft Endpoint Manager brand, which is included with Microsoft 365 solutions. Therefore, to deploy Intune, you need any of the following licenses:
The next step would be to sign in to Endpoint Manager and sign up for Intune.
Then follow these steps:
For BYOD workplace ecosystems, Intune needs to be set as the MDM authority. Intune can enroll employee and organization-owned devices. Intune supports Windows, iOS, macOS, and Android platforms. Check out this list of supported platforms and their respective versions.
Your users need to be registered with Azure AD.
Here are guides on obtaining licenses for various devices and enrolling them in Intune:
IT administrators can manage devices through the Microsoft Endpoint Manager. Here, they can perform actions including:
Here is the full list of actions you can perform.
Intune has mobile application management capabilities that allow administrators to push, configure, protect, and manage apps on enrolled devices.
Start with adding the apps you wish to manage in Intune. Next, create policies for the apps to ensure data protection. Intune’s console shows the install and vulnerability status of the apps. Here is the Microsoft guide on managing apps with Intune.
Your employees may not fully understand how mobile device management for BYOD works. The invasion of privacy can concern employees.
Educating the end-users about what Intune can and can't see on their personal devices can enhance the user experience and compliance. For example, Intune doesn't have access to personal data like photos, text messages, emails, calling, web history, files, or any unmanaged app inventory. On the other hand, IT administrators can see a device model name, its manufacturer, the device owner's name, and manage app inventory.
You can share this document about what Intune can access on a device with your employees and let them choose whether they wish to enroll their personal devices or not.
If they wish to enroll, they will find these video device enrollment guides extremely helpful.
After enrolling, your employees can take the help of the following guides to download apps from the company portal and enjoy the convenience offered by the BYOD model:
Leaking sensitive organizational information can jeopardize a person’s career prospects. Therefore, when buying or selling an old phone, you can ensure confidence by checking that the phone has been completely wiped and is in factory conditions.
A Phonecheck report can be used to ascertain whether the device has been securely wiped and restored to factory settings. You don’t want to buy a device still enrolled with MDM software.
Phonecheck offers a complete mobile device processing solution that checks if a device is unlocked, has been reported lost or stolen, has a healthy battery, has been repaired, or has a blacklisted status, among other things. Resellers can buy and sell old phones with confidence with Phonecheck Certification.
