In this video, Pete Zerger explains how to choose the best mobile device management (MDM) strategy for your company, comparing and contrasting the features of Office 365 MDM, Microsoft Intune standalone, and hybrid scenarios. You'll learn about the key de
- Your mobile device management strategy, or MDM for short, begins with choosing the right approach. This means determining what your requirements are for MDM. If you're not familiar with the features, and the capabilities of the Microsoft MDM solutions, it's probably easier to compare features and flesh out the gaps in your list of requirements along the way. You might of thought that we'd only be talking about Intune standalone versus Microsoft Intune hybrid, but Office 365 now has pretty impressive MDM capabilities which are also completely free in the Office 365 commercial subscriptions.
One of the most commonly asked questions regarding MDM with Microsoft Intune is, should I integrate Intune with system center configuration manager for hybrid MDM, or run Intun standalone in the Cloud-only configuration? To answer the question, you should carefully compare the two options, and consider updates coming to Intune standalone. Microsoft's Cloud First Strategy means Intune is the focus of innovation for MDM, so Intune standalone may close the gap versus Intune hybrid over time.
Let's look at Office 365 MDM features. Now Office 365 MDM includes access control, enabling us to block access to resources until users mobile devices are enrolled for management. It also includes a policy engine that enables policy deployment to mobile devices to enforce device compliance, a password or pin, device encryption, no jailbreak allowed, as well as managing users' email profile and cloud settings, which means blocking Cloud backup and document sync to some third party SASS providers.
We can even block the use of camera, Bluetooth, and removable storage, and finally, remote wipe of a manage mobile device, and not just the old active sync full device wipe, but selective wipe, which removes only corporate data as is possible with Intune. Bear in mind all of this functionality is focused on mobile devices. We're talking about MDM, but you need to think about all of this in the context of your larger systems management strategy.
This may include managing PCs, servers, software, updates and OS deployment. These will also factor in your final decision. Let's drill down into the decision criteria and make a choice. If central management of your PCs is not a big concern, maybe you're good with Windows Update and perhaps not deploying a lot of software today, then Office 365 Mobile Device Management may be enough. The policy capabilities have come a long way, and the ability to perform a selective wipe of a device means no worries about erasing users' personal data from their personal mobile devices.
Now why Intune standalone? Well, we get enhanced manageability and security, we get a single pane of glass for mobile devices, but also PCs and Macs, you can also distribute certificates, wifi, VPN, and email profiles, and you can deploy your internal line of business apps and apps in stores to users. We also get more secure access to corporate information using the Office mobile and line of business apps your users know while ensuring security of data by helping to restrict actions like Copy, Cut, Paste, Save As to only the apps we manage with Intune, and we also get more secure web browsing using the Intune-managed browser app.
Why Intune hybrid? Existing on premises investments would be one. You might choose hybrid MDM if you already have a significant investment in systems center configuration manager and want to extend that to mobile devices. Scale is another. If you need to go beyond that 100,000 device threshold, you need hybrid. Configuration manager current branch can handle into the 100,000's of devices with the right topology. Reporting is also richer in configuration manager, although, Intune is evolving quickly in this area.
PC compliance. You can configure conditional access policies for PCs, you can require that PCs be compliant with the policy in order to access exchange online and SharePoint online services, but this require hybrid as well as the federated identity model, which means Intune. OS deployment. This becomes less of a need as Windows as a service evolves, but Intune is still a consideration for many if not most organizations.
So some key takeaways here just to touch on the key point. Choose the simplest model that meets your MDM needs. Start with Office 365 MDM and justify Intune standalone or hybrid. Remember, Intune has a richer feature set than Office 365 MDM, and Intune hybrid meets on-prim high scale requirements today. In line with Microsoft's Cloud-first strategy, the Intune's standalone feature gap will be reduced over time, so stay tuned.
In this course—the first in the series—Microsoft MVP Pete Zerger takes you through the basics of setting up endpoint protection. He begins by explaining how to set up Azure Active Directory Premium. Next, he goes into enabling multi-factor authentication, followed by setting conditions for secure access. To wrap up, Pete covers managing mobile devices with Intune, and publishing applications with Azure AD App Proxy.
- Setting up Azure Active Directory for an organization
- Enabling user-level and application-level multi-factor authentication
- Setting conditions for secure access
- Planning a mobile device management (MDM) strategy
- How Intune (standalone) MDM works
- How Intune mobile application management works
- Publishing applications with Azure AD App Proxy
- Assigning users and groups