WHAT IS MICROSOFT INTUNE

Microsoft Intune is a cloud-based service that

enables organizations to manage and secure
their mobile devices, apps, and PCs from a
single, centralized platform. It offers a wide
range of features and capabilities designed to
meet the diverse needs of modern workplaces,
making it an indispensable tool for IT
administrators and business leaders alike.
Challenges without Intune
 Device lifecycle
Enro Configure
ll
Provide specific enrollment methods for Deploy certificates, email, VPN, and Wi-Fi
iOS/iPadOS, Android, Windows, macOS and profiles
Linux
Deploy device security policy settings
Provide a self-service company portal for
Install mandatory apps
users to enroll BYOD devices
Deploy device restriction policies
Deliver custom terms and conditions
at enrollment Deploy device feature settings
Use IT
Zero-touch provisioning with automated r
enrollment options for corporate devices

Support and retire Protect

Revoke access to corporate resources Restrict access to corporate resources if
policies are violated (e.g., jailbroken device)
Perform selective wipe
with Conditional Access
Audit lost and stolen devices
Protect corporate data by restricting actions
Retire device such as copy/cut/paste/save outside of
managed app ecosystem
Provide remote assistance
Protect devices from security threats with
Microsoft Defender for Endpoint
Report on device and app compliance
 In a complex device landscape, you
need choices
Microsoft Intune gives you the flexibility and control to secure your data on any device – even those you don’t manage

Information Public
worker Shared Primary Companion Kiosk Contractor

Company Employee 3rd Party

managed managed managed

Secure your data on any device with Intune

Intune device management Intune app management

Provision settings, Report and Report app Secure and remove

Enroll devices for Remove corporate Publish mobile apps Configure and
certs, profiles measure device inventory and usage corporate date within
management data from devices to users update apps
compliance mobile apps

Conditional access: Restrict access to managed and compliant Conditional access: Restrict access to apps with app protection
devices policy
Dependencies Microsoft Intune
standalone (Cloud-only)
Manage and protect
Cloud-only management
No existing infrastructure necessary
No existing Microsoft Configuration Manager deployment
required
Simplified policy control
Microsoft Endpoint Manager
admin center Simple web-based administration console
Faster cadence of updates
Always up-to-date
Microsoft Intune

Device enrollment supported

Windows
iOS/iPadOS
Android
macOS
Windows and mobile devices Linux
cloud-only management
Tenant setup
 Intune license
License Intune version included

Intune Intune

Enterprise Mobility + Security E3 Intune

Enterprise Mobility + Security E5 Intune

Intune for Education Intune for Education

Microsoft 365 Education A3 Intune for Education

Microsoft 365 Education A5 Intune for Education

Microsoft 365 E3 Intune

Microsoft 365 E5 Intune

Microsoft 365 F1/F3 Intune

Microsoft 365 Business Premium Intune

Choose your user identity
Synchronized identity
Cloud identity

Azure Active Directory Azure Active Directory

Azure AD Connect

Active Directory

Independent cloud identities Single identity, enabling a

same or single sign-on
experience with Password
Hash Sync or
Pass-through Authentication
 Add groups to organize users and devices
Intune uses Azure Active Directory (Azure AD) groups to manage devices and users.

The following group types can be added

Assigned groups: Manually add users or devices into a static group
Dynamic groups: Users or devices are automatically added based on an expression created by an administrator*

* Requires Azure AD Premium

 Assign Intune license
Before a user can enroll devices into Intune, EMS licenses must be assigned to users.

Use the Microsoft 365 management portal or the Azure portal to manually assign the license per user/group. You can
also assign the licenses in bulk using PowerShell Scripts.
 Company
portal
Overview
The Microsoft Intune company
portal provides users access to
company data and apps. Users
can access the company portal
by using:
Company portal app:
An application that is available on
devices you manage with Intune
Company portal website:
A website that provides access
from a supported web browser
Users can use the company portal to
Enroll devices
View the status of their devices
Download apps deployed by the company
Contact the IT department for support
Customizations for the company
portal include
Company name
URL to company privacy
documentation
Color scheme for company portal
(RGB)
Company logo (400 x 100 pixels)
IT department information
Enrollment methods
 What is device enrollment in Intune?

The MDM enrollment process establishes a The enrollment method depends on the device’s
relationship between the user, the device, and the ownership, device platform, and management
Microsoft Intune service. requirements.

Device ownership Description Device platform

Personally-owned phones, tablets, and PCs. Users install and run the Apple iOS, iPadOS and macOS
Bring your own device (BYOD)
Company Portal app to enroll BYODs.
Google Android (including Samsung
Phones, tablets, and PCs owned by the organization and distributed to the Knox), Android Enterprise
Corporate-owned device (COD)
workforce. COD enrollment supports scenarios like automatic enrollment,
shared devices, or pre-authorized enrollment requirements. Windows

Linux

Management requirement Description

Choose whether the device is affiliated with a single user or if the device will
With or w/o User Affinity
be shared or used as a kiosk device.

Locked enrollment (iOS only) Choose whether users can unenroll devices.

Depending on the chosen enrollment method, devices are wiped during

Reset required
enrollment.
 Supported device platforms
Apple iOS 14.0 and later
Apple iPadOS 14.0 and later
macOS 11.6 and later
For the latest information, go to: https://docs.microsoft.com/en-us/mem/intune/fundamentals/supported-devices-browsers
Android 8.0 and later*
(including Samsung KNOX
Standard 2.4 and higher)**
Android Enterprise (7.0+)
Android open source project
devices (AOSP) supported
devices
RealWear devices
(Firmware 11.2 or later)
Surface Hub Ubuntu Desktop 22.04.1 LTS
with a GNOME graphical
Windows 10 and Windows 11 desktop environment
(Home, S, Pro, Education, and
Enterprise versions) Ubuntu Desktop 20.04 LTS
with a GNOME graphical
Windows 10 and desktop environment
Windows 11 Cloud PCs
on Windows 365
Windows 10 Enterprise 2019
LTSC
Windows 10 IoT Enterprise
(x86, x64)
Windows Holographic for
Business
Windows 10 Teams (Surface
Hub)
User-driven device enrollment

Company Portal, hub,

Azure Active Apple/Android store
Directory Compan
y portal
C macOS
Azure AD
Connect
Compan
y portal
A C Windows
PCs
Intune
(x86/64,
app Intel SoC)
B
C Linux PC
D

Compan
y portal
C iOS &
Microsoft Intune Android

Work
MDM Authority accoun
Microsoft 365 device t C Windows 10
management & Windows
11
Auto-enroll Windows devices

Azure AD Join makes it possible to connect work-

owned Windows devices to your company’s Azure
Active Directory.
With Azure AD Join, you can auto-enroll devices in Azure Active
Microsoft Intune for management. Apps Directory
3rd party
in apps and
Azure Microsoft Intune
clouds
Benefits:
• Intune auto-enrollment
• Enterprise-compliant services
• Single sign-on from the desktop to cloud and on- Intune/MDM
premises applications with no VPN
Auto-enrollment
• Support for hybrid environments

Windows Azure On-premises apps

AD joined devices
 Android enrollment methods
Personal Corporate

Experience/ Device admin App protection Work profile Corp-owned Fully managed Dedicated
Feature policies with work
profile
Personal device Corporate device Corporate device
Legacy management Corporate device and
Management at the management with a management with a without an account,
General description using device admin enrolled with user
app level separate profile for separate profile for such as kiosk or shared
rights​ account
Deprecate work apps and data work apps and data devices
d by
In Company Portal
Out-of-box/ Out-of-box/
factory reset factory reset Out-of-box/
Google factory reset
or Out-of-Box/
QR code (7.0+), NFC, QR code (7.0+), NFC,
Enrollment/ factory reset
N/A In Company Portal Token, Token, QR code, NFC, Token,
unenrollment UX (Samsung)
Zero Touch(8.0+), KNOX Zero Touch(8.0+), KNOX Zero Touch, KNOX
KNOX Mobile
(2.4+) Mobile (2.4+) Mobile Mobile Enrollment
Enrollment
Enrollment Enrollment

User affinity Yes Yes Yes Yes Yes No

Min Android version Android 6.0+ N/A Android 6.0+ Android 8.0 Android 6.0+ Android 6.0+