Monthly Archives: September 2015

Revisiting Microsoft Intune

With Microsoft’s Enterprise Mobility product suite getting more spotlight and popularity recently I’ve decided to check out how the Microsoft Intune solution looks and has something changed over the past n-years.

Product line is mostly targeted at SMBs, but gets larger companies and enterprises on board because Microsoft Intune is the only product that MS has that covers management of mobile devices, so this is where the SCCM connector comes into play.

So, finally, with the brand new naming and concept Microsoft is somewhere on the magic quadrant radar.
magic-quadrant-emm-2015.png

The scenario I’ve been interested in is complete cloud management of company’s devices without any investment into local on-premise infrastructure. I left the SCCM connector and on-premise AD sync out of scope for now.

There are quite a few details and screenshots in the below sections, so if you have no interest in these – skip to the overview and some pricing details.

The details

Windows 10 has some out of the box features to let you associate your device with your workplace/company account. So I went ahead and gave that a try. The whole process is about 20 steps including an identity verification, setup of “work” PIN and several SMS to confirm your “identity”.

The work account should be pre-created in your Microsoft Intune portal. To make things easier for users – obviously a custom domain name would be highly preferable.

win_10_002 win_10_003 win_10_004 win_10_005 win_10_006win_10_007win_10_008win_10_009win_10_010win_10_011win_10_013win_10_014win_10_015win_10_016win_10_017win_10_018

Thoughts so far

Tired, yet?

So in the end you have logged are logged in with a “cloud”, non-local username who is an admin on the newly provisioned device. All local users are disabled.

I think it’s amazing that there’s no need for any kind of infrastructure and you still get identity and password management for your users, access controls, all the good things.

win_10_019

The other thing that is needed is enrolling your device. This can be done in a number of ways (including embedding it into the OS image somehow or silently configuring the client installation and enrollment through command line parameters). I’ll be going through the manual way below, which is a bit lengthy.

Then you fire up either Microsoft Edge or Internet Explorer and navigate to https://manage.microsoft.com. The nice part is – you’re automatically logged in and redirected to your company website (SSO!). Here you can “enroll” your device to Microsoft Intune.

win_10_020

What’s weird – there’s no obvious button to enroll your device. So you have to “investigate”.

win_10_021

win_10_022

win_10_023

win_10_024

win_10_025

win_10_026

win_10_027

win_10_028

win_10_029

win_10_31 win_10_32

After quite a few steps your Windows device is finally “enrolled” with Microsoft Intune! There are a few optimizations that can be made, such as – installing the client silently via scripts or GPOs (if you’re in an enterprise environment):

Windows_Intune_Setup.exe /?

Tool Usage:
Windows_Intune_Setup.exe [/Quiet]
Windows_Intune_Setup.exe /Extract <destination-directory>

/Quiet          Used to run enrollment package installation in quiet mod
e.
/Extract        Used to extract enrollment packages (Windows_Intune_{X86
,X64}.msi)
destination     Specifies the directory for the extracted package.
/PrepareEnroll  Used to prepare the reference machine for automatic enro
llment after Windows Setup.

When executed with no switch specified, enrollment package will be run.

e.g.:- Windows_Intune_Setup.exe
e.g.:- Windows_Intune_Setup.exe/Quiet
e.g.:- Windows_Intune_Setup.exe/Extract %temp%
e.g.:- Windows_Intune_Setup.exe/PrepareEnroll

The client itself silently sits in the Windows Tray and has some basic functionality.

win_10_65

The Mobile Client for comparison:

Screenshot_2015-09-17-10-39-42

After that you jump to the Administration Portal to check what’s kind of reports and configuration options are available – https://manage.microsoft.com. You can further customize your company portal as well.

win_10_64

The bad –  the amount of policies for devices is not even close to 5% of what Group Policy Management has. That’s not all of them in the screenshot, but you can get the general idea.

There’s also a new OMA-URI Settings policy format, which will most likely be expanded in the near future – “This topic lists the settings that you can configure for Windows 10 and Windows 10 Mobile devices in a Microsoft Intune Windows 10 Custom Policy.“:

Example:

Both
URI full path: ./Vendor/MSFT/Policy/Config/WiFi/AllowInternetSharing
Data type: Integer
Allowed values:
0 – Do not allow Internet Sharing.
1 – Allow Internet Sharing
Default value: 1

win_10_39

The good – some built-in reports are available and the console has certain level of visual appeal.

win_10_63

The apps

There’s a universal Application Publishing tool that is the same for both Mobile Applications and Desktop ones. Both application deployments work quite nicely with only concern being – there is no way to monitor the installation process on the devices, so it’s either good or error bad. The log files are located locally on the devices.

All installations on windows platform PCs go through with system account and require the setup to be completely silent and functional under these conditions. Additional limitations and behavior under specific scenarios may apply.

The mobile applications distribution has different requirements based on platform, but supports both 3rd party apps and “application market” suggested applications.

There are reports in the management console to show how many devices have the desired software installed.

win_10_45

win_10_51

And can’t resist mentioning the latest Fallout game series:

win_10_61

Screenshot_2015-09-14-17-33-06

Pricing matters

Microsoft Intune is favorably priced, especially as part of Enterprise Mobility Suite bundle.

Stand-alone Microsoft Intune pricing – ~5 EUR per user per month.

Enterprise Mobility Suite (includes extras – Azure AD Premium, Azure Rights Management, Microsoft Advanced Threat Analytics) – about 8 EUR per user per month.

Each of the above mentioned bundled products deserves a separate review on it’s own, I will not go into details for these.

Sample table:

Product

Features

Pricing (per user/month)

Azure Active Directory Premium

    • Self-service password reset to reduce helpdesk calls
    • Multi-factor authentication options for greater security
    • Group-based provisioning and single sign-on for thousands of SaaS apps
    • Machine learning-driven security reports for visibility and threat management
    • Robust sync capabilities across cloud and on-premises directories

$6

Microsoft Intune

    • Mobile application management across devices
    • Broad device support for iOS, Android, Windows and Windows Phone devices
    • Selective wipe of apps and data for greater security
    • Use of System Center Configuration Manager and Endpoint Protection**

$6

Azure Rights Management

    • Information protection from the cloud or in a hybrid model with your existing on-premises infrastructure
    • Integration into your native applications with an easy-to-use SDK
    • Windows Server Active Directory Rights Management Server CAL use rights**

$2

Microsoft Advanced Threat Analytics***

    • Behavioral analytics for advanced threat detection
    • Detection for known malicious attacks and security issues
    • Simple, actionable feed for the suspicious activity alerts and the recommendations
    • Integration with your existing Security Information and Event Management (SIEM) systems

$3.50*

Windows Server CAL

    • Windows Server CAL use rights**

$1.75*

Standalone total

$19.25

Enterprise Mobility Suite

$8.75* (50% savings

over standalone offers)

Conclusion

You get a solution that will offer at least basic levels of compliance and control over the company’s devices and data. There is software, policies, update and antivirus compliance checks included inside the product, although not always with the complete desired functionality set that you would have in your typical on-premise enterprise setup, but available out of the box without any investments in local infrastructure, servers and maintenance. Which is amazing by itself!

For enterprises there is always the option to use the on-premise setup with Active Directory sync and System Center Configuration Manager connector.

There are some things that are still missing and should be noted:

  • No API or PowerShell support to manage the service
  • Remote User Assistance/Control is missing (available with some custom workarounds, rather limited)
  • Silverlight administration portal (Microsoft has set the support end date for Silverlight 5 to be October 2021. In 2015, Microsoft announced that since support for ActiveX was discontinued with Microsoft Edge, Silverlight will not be supported in that browser.). Does not work in Microsoft Edge
  • No Support for App-V
  • No out of the box setup of client and easy enrollment (at this point it can and should probably be scripted, but the scripting expression can apply to almost anything nowadays)
  • There are reports of user experience settings that are not correctly synced between multiple user devices
  • Application delivery reporting is not that transparent, troubleshooting logs are on the client
  • (subjective) I still do not enjoy the battery drain aspect of any mobile device management client. The battery drain from this piece of management software is heavier than from display screen on daily use. This is not OK
  • Policies and settings are quite limited if compared to Group Policy Management