Mobile Device Management-Describe Microsoft 365 apps and services

One of the most important features of Microsoft 365 is the capability to support mobile devices, such as laptops, smartphones, and tablets, even those running non-Microsoft operating systems, such as Android, iOS, and MacOS. Microsoft Intune is the tool administrators use to manage mobile devices in Microsoft 365. Microsoft Intune is included as part of Microsoft 365 Enterprise subscriptions.

Microsoft Intune provides two basic approaches to the management of mobile devices, as shown in Figure 2-61:

  • Mobile Device Management (MDM) In MDM, devices are enrolled in Intune and become managed devices. Administrators can install applications, assign password policies, encrypt or remove any data on managed devices, and apply policies, rules, and settings. MDM essentially grants the organization complete control over the device, allowing administrators to ensure that the device is compliant with any required regulatory or other company policies.
  • Mobile Application Management (MAM) In MAM, Intune manages specific applications but not the entire device. Administrators can impose policies on the managed applications, such as requiring a password to access Exchange, and they can remove corporate data from the applications, but they cannot remove just any data on the system. MAM is more commonly used for organizations that support a Bring Your Own Device (BYOD) policy, in which users might not want to grant the organization full control over their personal property and when the company does not have rigorous security compliance policies to maintain.

As part of the Intune planning process, administrators must decide whether to use MDM, MAM, or both, and if the latter is chosen, which devices should use which management model. Using Intune in a hybrid management environment and another product, such as Configuration Manager, is also possible.

Enrollment is the process by which a device is added to Microsoft Intune for management. Before devices can be enrolled in Intune, administrators must create Microsoft 365 users and groups and assign Intune licenses to them. Administrators can create users and groups manually or synchronize the existing users from Azure AD or an on-premises AD DS installation. It might also be necessary to create additional groups specifically for Intune. For example, administrators might want to create individual groups for specific device types.

The enrollment process can take many forms, depending on the device platform and whether an administrator or user is enrolling the device. For BYOD devices, for example, users can download a portal app and perform the enrollment themselves. For devices owned by the organization, administrators can set up autoenrollment protocols and use the device enrollment manager (DEM), a special user account that enables the enrollment of up to 1,000 devices.

FIGURE 2-61 Microsoft Intune MDM or MAM

Once devices are enrolled, administrators can add applications through the All Apps page in the Microsoft Intune portal. The procedures for adding applications and the possible management tasks after the applications are added vary depending on the device platform and the type of application.

The most critical aspect of managing mobile devices with Microsoft Intune is protecting the organization’s resources. One of the most powerful ways of doing this is by creating compliance policies that specify the security conditions a device must meet. For example, administrators can create and assign policies requiring a minimum operating system version, specify a required password length, or prevent the use of devices that have been rooted or jailbroken. Administrators can restrict access to specific applications or the entire device based on a device΄s compliance with the assigned policies. This is called conditional access.

One of the most powerful management tools for mobile devices is the device profiles that you can create in Microsoft Intune, which enable administrators to apply a wide variety of features and settings that can enhance or restrict a device’s capabilities.

Leave a Reply

Your email address will not be published. Required fields are marked *