Manage devices with Intune Overview

A core component of enterprise-level security includes managing and protecting devices. Whether you’re building a Zero Trust security architecture, hardening your environment against ransomware, or building in protections to support remote workers, managing devices is part of the strategy. While Microsoft 365 includes several tools and methodologies for managing and protecting devices, this guidance walks through Microsoft’s recommendations using Microsoft Intune. This is the right guidance for you if you:

  • Plan to enroll devices into Intune through Azure AD Join (including Hybrid Azure AD Join).
  • Plan to manually enroll devices into Intune.
  • Allow BYOD devices with plans to implement protection for apps and data and/or enroll these devices to Intune.

On the other hand, if your environment includes plans for co-management including Microsoft Endpoint Configuration Manager, see Co-management documentation to develop the best path for your organization. If your environment includes plans for Windows 365 Cloud PC, see Windows 365 Enterprise documentation to develop the best path for your organization.

Watch this video for an overview of the deployment process.

Why manage endpoints?

The modern enterprise has an incredible diversity of endpoints accessing their data. This setup creates a massive attack surface, and as a result, endpoints can easily become the weakest link in your Zero Trust security strategy.

Mostly driven by necessity as the world shifted to a remote or hybrid work model, users are working from anywhere, from any device, more than anytime in history. Attackers are quickly adjusting their tactics to take advantage of this change. Many organizations face constrained resources as they navigate these new business challenges. Virtually overnight, companies have accelerated digital transformation. Simply stated, the way people work has changed — we no longer expect to access the myriad of corporate resources only from the office and on company-owned devices.

Gaining visibility into the endpoints accessing your corporate resources is the first step in your Zero Trust device strategy. Typically, companies are proactive in protecting PCs from vulnerabilities and attack while mobile devices often go unmonitored and without protections. To ensure you’re not exposing your data to risk, we need to monitor every endpoint for risks and employ granular access controls to deliver the appropriate level of access based on organizational policy. For example, if a personal device is jailbroken, you can block access to ensure that enterprise applications are not exposed to known vulnerabilities.

This series of articles walks through a recommended process for managing devices that access your resources. If you follow the recommended steps, your organization will achieve very sophisticated protection for your devices and the resources they access.

Implementing the layers of protection on and for devices

Protecting the data and apps on devices and the devices themselves is a multi-layer process. There are some protections you can gain on unmanaged devices. After enrolling devices into management, you can implement more sophisticated controls. When threat protection is deployed across your endpoints, you gain even more insights and the ability to automatically remediate some attacks. Finally, if your organization has put the work into identifying sensitive data, applying classification and labels, and configuring Microsoft Purview data loss prevention policies, you can obtain even more granular protection for data on your endpoints.

The following diagram illustrates building blocks to achieve a Zero Trust security posture for Microsoft 365 and other SaaS apps that you introduce to this environment. The elements related to devices are numbered 1 through 7. These are the layers of protection device admins will coordinate with other administrators to accomplish.

Microsoft 365 Zero Trust deployment stack

In this illustration:

  Step Description Licensing requirements
1 Configure starting-point Zero Trust identity and device access policies Work with your identity administrator to Implement Level 2 App Protection Policies (APP) data protection. These policies do not require that you manage devices. You configure the APP policies in Intune. Your identity admin configures a Conditional Access policy to require approved apps. E3, E5, F1, F3, F5
2 Enroll devices to Intune This task requires more planning and time to implement. Microsoft recommends using Intune to enroll devices because this tool provides optimal integration. There are several options for enrolling devices, depending on the platform. For example, Windows devices can be enrolled by using Azure AD Join or by using Autopilot. You need to review the options for each platform and decide which enrollment option is best for your environment. See Step 2. Enroll devices to Intune for more information. E3, E5, F1, F3, F5
3 Configure compliance policies You want to be sure devices that are accessing your apps and data meet minimum requirements, for example devices are password or pin-protected and the operating system is up to date. Compliance policies are the way to define the requirements that devices must meet. Step 3. Set up compliance policies helps you configure these policies. E3, E5, F3, F5
4 Configure Enterprise (recommended) Zero Trust identity and device access policies Now that your devices are enrolled, you can work with your identity admin to tune Conditional Access policies to require healthy and compliant devices. E3, E5, F3, F5
5 Deploy configuration profiles As opposed to device compliance policies that simply mark a device as compliant or not based on criteria you configure, configuration profiles actually change the configuration of settings on a device. You can use configuration policies to harden devices against cyberthreats. See Step 5. Deploy configuration profiles. E3, E5, F3, F5
6 Monitor device risk and compliance with security baselines In this step, you connect Intune to Microsoft Defender for Endpoint. With this integration, you can then monitor device risk as a condition for access. Devices that are found to be in a risky state will be blocked. You can also monitor compliance with security baselines. See Step 6. Monitor device risk and compliance to security baselines. E5, F5
7 Implement data loss prevention (DLP) with information protection capabilities If your organization has put the work into identifying sensitive data and labeling documents, you can work with your information protection admin to protect sensitive information and documents on your devices. E5, F5 compliance add-on

Coordinating endpoint management with Zero Trust identity and device access policies

This guidance is tightly coordinated with the recommended Zero Trust identity and device access policies. You will be working with your identity team to carry through protection that you configure with Intune into Conditional Access policies in Azure AD.

Here’s an illustration of the recommended policy set with step callouts for the work you will do in Intune/MEM and the related Conditional Access policies you will help coordinate in Azure AD.

Zero Trust identity and device access policies

In this illustration:

  • In Step 1, Implement Level 2 App Protection Policies (APP) you configure the recommended level of data protection with APP policies. Then you work with your identity team to configure the related Conditional Access rule to require use of this protection.
  • In Steps 2, 3 and 4, you enroll devices into management with Intune, define device compliance policies, and then coordinate with your identity team to configure the related Conditional Access rule to only allow access to compliant devices.

Enrolling devices vs. onboarding devices

If you follow this guidance, you will enroll devices into management using Intune and you will onboard devices for the following Microsoft 365 capabilities:

  • Microsoft Defender for Endpoint
  • Microsoft Purview (for endpoint data loss prevention (DLP))

The following illustration details how this works using Intune.

Process for enrolling and onboarding devices

In the illustration:

  1. Enroll devices into management with Intune.
  2. Use Intune to onboard devices to Defender for Endpoint.
  3. Devices that are onboarded to Defender for Endpoint are also onboarded for Microsoft Purview features, including Endpoint DLP.

Note that only Intune is managing devices. Onboarding refers to the ability for a device to share information with a specific service. The following table summarizes the differences between enrolling devices into management and onboarding devices for a specific service.

  Enroll Onboard
Description Enrollment applies to managing devices. Devices are enrolled for management with Intune or Configuration Manager. Onboarding configures a device to work with a specific set of capabilities in Microsoft 365. Currently, onboarding applies to Microsoft Defender for Endpoint and Microsoft compliance capabilities.

On Windows devices, onboarding involves toggling a setting in Windows Defender that allows Defender to connect to the online service and accept policies that apply to the device.
Scope These device management tools manage the entire device, including configuring the device to meet specific objectives, like security. Onboarding only affects the services that apply.
Recommended method Azure Active Directory join automatically enrolls devices into Intune. Intune is the preferred method for onboarding devices to Windows Defender for Endpoint, and consequently Microsoft Purview capabilities.

Note that devices that are onboarded to Microsoft Purview capabilities using other methods are not automatically enrolled for Defender for Endpoint.
Other methods Other methods of enrollment depend on the platform of the device and whether it is BYOD or managed by your organization. Other methods for onboarding devices include, in recommended order:
  • Configuration Manager
  • Other mobile device management tool (if the device is managed by one)
  • Local script
  • VDI configuration package for onboarding non-persistent virtual desktop infrastructure (VDI) devices
  • Group Policy
  • Learning for administrators

    The following resources help administrators learn concepts about using MEM and Intune.

    Simplify device management with Microsoft Endpoint Manager Description: Learn about modern management and the Microsoft Endpoint Manager and how the business management tools in Microsoft 365 can simplify management of all your devices.

    Set up Microsoft Intune Description: Microsoft Intune, which is a part of Microsoft Endpoint Manager, helps you protect the devices, apps, and data that the people at your organization use to be productive. After completing this module, you will have set up Microsoft Intune. Set up includes reviewing the supported configurations, signing up for Intune, adding users and groups, assigning licenses to users, granting admin permissions, and setting the MDM authority.