You can implement mobile device management (MDM) functionality using Microsoft Intune or a more limited extent, with Basic Mobility and Security for Microsoft 365. In addition to managing settings on iOS and Android mobile devices, MDM allows you to configure policies that control settings on any Windows 11 device, such as desktop PCs and laptops.
You can now manage devices from the cloud using an MDM solution such as Intune. By removing the traditional domain-based constraints often imposed on devices, MDM enables you to implement new management and device functionality. You must understand how to manage devices enrolled in Azure AD and Intune. Also, you must understand how to plan and use profiles and policies to configure devices, control user access, and set device settings to comply with company security and compliance policy.
This skill covers how to:
- Specify configuration profiles to meet requirements
- Implement configuration profiles
- Monitor and troubleshoot configuration profiles
- Configure and implement Windows kiosk mode
- Configure and implement profiles on Android devices, including fully managed, dedicated, corporate-owned, and work profile
- Plan and implement Microsoft Tunnel for Intune
Specify configuration profiles to meet requirements
When planning how your organization will use MDM to manage your devices, there are several areas that you should include in your scope.
The two common elements of modern management are your users and their device(s). In a traditional environment, you retain full control of a user’s computing environment, including the user’s desktop, using Configuration Manager and/or Group Policy.
This can be restrictive for the user, but it provides the strictest level of control for the administrator. Using Intune, a similar level of control is possible. Also, the cloud-based nature of Intune can be especially useful for devices that are beyond the management scope of Group Policy, such as in the following scenarios:
- Devices that are not domain members
- Smartphones
- Windows 11 devices that are joined to Azure AD only
- Devices that are used entirely remotely and without access to VPN solutions
Intune provides excellent features for managing devices that connect to your corporate data, enabling you to remain compliant with your corporate security and compliance requirements. All enrolled devices can be forced to comply with your defined device configuration profiles.
Microsoft Intune allows you to manage your devices using an MDM solution that includes settings and features that you can enable or disable on various mobile devices. The full list of platforms supported by Intune through device enrollment is as follows:
- Apple
- Apple iOS 14.0 and newer
- Apple iPadOS 14.0 and newer
- macOS 11.0 and newer
- Google
- Android 8.0 (and newer)
- Android Enterprise
- Android open source project devices (AOSP)
- Microsoft
- Windows 10/11
- Windows 10/11 on Windows 365
- Windows 10 LTSC
- Windows 10 Teams
- Surface Hub
- Other
- Linux (Ubuntu Desktop 20=2.04 or newer)
Because of the variety of platforms and devices, not all settings and features can be configured on every device platform. You should review the settings and features you can add to a configuration profile for the different devices and platforms you use—or plan to use—in your organization.
The number and scope of the built-in device settings supported by Intune continues to grow as more organizations provide feedback to Microsoft requesting additional support for new scenarios. For each new Windows client version, new MDM functionality will be added to the built-in MDM client to reflect new features that ship with that version of Windows 11.
You can also use Open Mobile Alliance Uniform Resource Identifier (OMA-URI) profiles. Known as custom profiles, these enable you to create and use device settings and features that aren’t natively built into Intune. If a setting or feature is supported on devices in your organization, you should be able to create a custom profile that sets the same feature for every device by using OMA-URI settings.
