Mobile Device Management with Microsoft Intune

In a previous post, I spoke about MAM (Mobile Applications Management) with Microsoft Intune.  MAM is all about managing a securing data from an App standpoint.  But what about the rest of the Device?  Well, that’s where Mobile Device Management (MDM) comes into play.

Mobile Device Management

Whether your using an iOS, Android or Windows(?) Mobile Device, Intune can provide easy to use management for your organizations security needs. In June of 2017, Microsoft completed a major overhaul of the Intune platform migrating it from it’s own Silverlight console, to integrating it with Microsoft Azure.  This major overhaul includes new features to make deployment of Intune easier, deploying policies faster, and making reporting much more effective.  While covering EVERYTHING in Intune could be it’s own book, I’d like to cover some major features that can get you started with simple MDM.

Adding Devices to Intune

To assist with automating the enrollment of devices to Intune, Microsoft has added the ability to use Dynamic Azure Active Directory groups to allow users to choose the type of Device they are enrolling in Intune.  When a user installs and enrolls their device with Intune, they can select a pre-defined Category (setup in the Intune Console).  For example, if you want to separate Devices used for the Sales Team, from Devices used by the Marketing Team.  A Dynamic Azure AD group then reads the Category that was assigned to that device when the user enrolled it, and adds the device to that Active Directory group.  You can assign the Dynamic Azure AD group to any of the Policies you may have defined in Intune.  This greatly simplifies the administrative overhead for Admins when needing to enroll thousands of users.

Apply a Configuration Policy

One of the points of MDM is to ensure your users are not abusing their Mobile Devices by either making the security too weak (i.e. no passcode to unlock, waiting hours to lock the device, etc.), or installing Apps that have nothing to do with their work.  A configuration policy is what will allow you to define what users can and cannot do with their mobile device.  You can setup a whole host of Restriction to lock down the devices, as well as provide configuration policies to push Email profiles, VPN profiles, or even WIFI Profiles.

Apply a Compliance Policy

Once you have assigned to a device what it can or cannot do, next you need to ensure that the device is also compliant at all times with certain policies.  For example, what happens to a device if it is Jail broken or rooted?  What is a tries to change their passcode length to something shorter than allowed?  Compliance policies ensures that the device is always complying to any of the security and compliance policies you have set, and can automatically evaluate the perceived threat level of a device.

Apply a Conditional Access Policy

If you have specific security requirements around specific users, you can create a Conditional access policy.  For example, perhaps you only want your engineers to be able to access files on One Drive while they are on the company’s network.  With Conditional access policies you can define rules such as that to determine who can use what apps, in what location and on which platform.  This can provide extremely granular permissions as your organization needs them.


Intune can provides reports on either a User of Device, and you can find information on them such as Hardware and the types of Apps installed on the device.  You can also gain insights on the policies that have been deployed to the device, and errors on policies that could not be deployed.

In Conclusion

There is so much more in the platform besides what I have covered here today.    Intune is a part of the Enterprise Mobility and Security license, which is an Add-on to Office 365, more licensing details can be found here:

If you’re interested in learning more about Intune and Mobile Management strategies, please feel free to reach out to me at

Leave a Reply