After many years of steady, but not radically transformational, innovation and evolution on Microsoft’s Intune endpoint management platform, last month finally brought a major update to this cloud-native endpoint management tool that significantly expands the capabilities that it has to offer. For the official announcement from Microsoft, here’s their primary blog with the high-level details: New Microsoft Intune Suite helps simplify security solutions – Microsoft Security Blog
For those organizations that work with us or have worked with us in the past, all would agree that it would be an understatement to say that Virteva has had a LOT of experience with Intune going back to its earliest iterations in the early ‘aughts. These past few years in particular, we’ve become big believers in the idea that Intune has gotten to the point at which it’s able to fully eliminate the need for legacy tools like Configuration Manager (itself on something like name #4, after most recently being changed from System Center Configuration Manager to Microsoft Endpoint Configuration Manager and now just Configuration Manager), at least for any non-server-related endpoint management functions. And so it was with great eagerness that we consumed as much detail as possible about the Intune Suite announcements on March 1st, 2023. While Intune has already become a multi-faceted platform for managing traditional endpoints (PCs, and to a certain degree, macOS and Linux endpoints) and mobile devices like phones and tablets, a few gaps remained in need of various 3rd party solutions to address. However, these latest Intune Suite announcements have done much to “close” many of those gaps. They will allow us to further centralize our focus on Intune as the single destination for much of the typical endpoint-related management and support scenarios we often encounter in any given company’s day-to-day operations.
As the link above reveals, there are quite a few changes coming to Intune, both from a technical and licensing perspective. However, there are five things in particular that we find are the most interesting and/or compelling features and capabilities from this announcement:
- Some pretty significant licensing changes for Intune
First, here are some key things to know regarding Microsoft’s licensing updates. The licensing has been (mostly) straightforward since Intune’s inception. You either owned it or you didn’t. How you owned Intune could still involve some variables (it’s most common these days for organizations to own it by their Microsoft 365 F-and-E-level licensing). Still, it was simple to understand that if you owned Intune, you inherently owned every part of its functional capabilities.
That’s changing, with the “standard” Intune that we’ve all had now being considered a “Plan 1” tier license. Intune Plan 2 was added to the stack and incorporates the “Tunnel for Mobile Application Management” tech and the ability to leverage Intune to manage what Microsoft considers “specialty devices,” such as virtual reality headsets and large smart-screen devices. Beyond that, there’s the all-in version now called Intune Suite, wherein it incorporates all of the Plan 1 and Plan 2 elements but also adds Remote Help, Endpoint Privilege Management, Advanced Endpoint Analytics, and likely many future capabilities as Microsoft continues to develop new features into the Intune platform. Suffice it to say, while there is now extra complexity in the licensing of Intune, there’s also more of a natural likelihood that many organizations will find the full Intune Suite a valuable addition, owing to its inclusion of some of the types of functions that before now were some of the key “gaps” in the platform that we usually had to rely on 3rd party solutions to fulfill or simply couldn’t replicate at all. - Including the Remote Help tool as part of Intune licensing
While the Remote Help tool was announced in April of last year, it was originally structured under a costly add-on SKU for Intune. It didn’t fully integrate well within the platform initially. However, the Intune Suite license will now natively include the Remote Help tool as part of the bundle. Also, the fact that the tool is now vastly more integrated into the Intune platform should make it vastly simpler and more efficient for both IT and end users to utilize.
One of the more significant developments within Remote Help correlates to a new ServiceNow integration option wherein ServiceNow-based support incidents can be surfaced within the Intune admin portal alongside the endpoints associated with those Incidents. This makes it much faster and simpler for someone like a Service Desk analyst or endpoint engineer to simply initiate a Remote Help session and simultaneously have access to all the ticket data related to that particular user and their endpoint.
Another key update was the integration of chat into the Remote Help experience so that a support engineer can more easily communicate with the user on the same screen that’s been accessed via Remote Help. While Teams is a common chat vehicle for support teams in these types of scenarios, having a native chat function within the Remote Help tool itself can help ensure that, regardless of the ability of the user to have access to Teams at that time (who knows, maybe Teams is the issue they’ve opened the ticket about!), the IT analyst and user are able to communicate in real-time.
Lastly, where we often utilized tools such as LogMeIn, Team Viewer, and BeyondTrust for service desk operations’ remote access needs, Remote Help in Intune now enables us to have one fewer 3rd party tool to manage, support, and pay for. - Advanced Endpoint Analytics
Firstly, if you are already using Intune and aren’t taking advantage of the “standard” Endpoint Analytics native to all levels of Intune licensing, NOW is the time to start. Endpoint Analytics has always, for us, being one of those more obscure capabilities within Intune. That time and again, we’ve found companies we’ve worked with have been completely unaware of or not taking proper advantage of. In essence, these automated reports contain a wealth of great information about the state of your endpoints in categories like startup performance, update readiness (this is a big one coming up again as companies prepare to transition to Windows 11, just like with the transition to Windows 10), application reliability metrics, restart frequency, and various other helpful statistics that correlate to the actual real-world performance of your active Windows devices.
Now with Advanced Endpoint Analytics being introduced into Intune Suite, it’ll allow us all to create custom device scopes that will be helpful for “slicing” data in different ways across our endpoints in various data categories that we can define, as well as introduce more security-related attributes that it will track and report. The device scopes should also make it helpful for tracking things like “executive’s laptops” and “physician laptops” as a couple of examples so that we can put additional oversight into those user workstations that would have the biggest impact on our business, performance, or another significant category so that we can react faster and more effectively to any issues they’re encountering before the problem festers.
Also significant are the enhancements Microsoft made to the ability for Endpoint Analytics to detect more sophisticatedly proactively anomalies in things like microphones, applications, and that dreaded user input of “it’s running slow” before the user even has a chance to call in that first ticket. We’ve always recommended that organizations leverage Endpoint Analytics to aid in more effective cost analysis for hardware in their environment and the types of issues over time that can balloon the cost of that hardware far beyond its MSRP. With the added elements in Advanced Endpoint Analytics, it should be much more powerful for tracking long-term performance issues across all of our devices and enable more analysis of true cost-over-time for each brand and model of things like the laptops we procure. - Endpoint Privilege Management
This will be a difference-maker for the day-to-day operations in which our endpoint management teams try to stay aligned with the security team’s wishes and avoid allowing our end users to have administrative rights arbitrarily or for any longer than is absolutely necessary. This security area continues to be a challenge for many companies. Solutions like LAPS (Local Admin Password Solutions, for those unaware) have at least closed the gap over the past few years.
However, with Endpoint Privilege Management now available, we’re excited to be able to start further hardening the endpoints in each ecosystem by only enabling elevated rights for users to do things like install an app, or run an update for something not part of our normal update packages, with the added granularity of granting them just-in-time elevated privileges but ONLY for the action they’re about to take, and ONLY for a very small amount of time. The user gets what they want, while our IT and security team gains the peace of mind that we’re remaining much more aligned to Zero Trust principles in an area often one of the gaps in organizations’ attainment.
Particularly these days, with a lot of hybrid workforces that have users all over the place, both in and out of the office, Endpoint Privilege Management should greatly ease the burden on IT in handling elevated rights to users only when and how they’re needed, and have much more robust auditing as an added bonus. - Tunnel for Mobile Application Management
Speaking of those hybrid workers, many of whom are, for all intents and purposes, basically or nearly fully remote, if not entirely remote at this point for many organizations, Tunnel for Mobile Application Management (MAM) fills a particular void that existed in the context of utilization of a particular facet of Intune that we’ve been preaching to every organization that would listen to utilize heavily – MAM itself. MAM, in essence, is the ability to distribute and maintain policy-based security over corporate data as it travels down into the common applications users leverage on their mobile devices (e.g., Outlook, Teams, M365 Apps/Office Suite, Box, OneDrive, Adobe Reader, Slack, Zoom, etc.) – but with the critical difference from MDM that NO enrollment is necessary for all of that protection to flow down to those user devices!
As one might expect, BYOD devices remain the most common scenario for this to be invaluable. Where MAM Tunnel should greatly benefit those MAM-using companies is in how it will expand those MAM-focused BYOD device scenarios to allow for a lightweight VPN capability to be brought into the mix, such that users can now – still in an unenrolled state, mind you – access on-prem line-of-business apps and data whenever they need to, without having to worry about downloading a VPN client or being blocked altogether.
Suffice it to say, some fairly extensive preliminary steps need to be taken to get all of this to work, and there are some nuances, like needing Edge to be on the device for browser-based VPN sessions to occur. We don’t commonly encounter users with the Edge browser on their Android and iOS phones and tablets, so it’s an extra step that would benefit from the organization doing some upfront communication to their users to make sure they fully understand what they need to do in order to make this work for them. But once it’s all in place, and users are aware of some of the requirements, there are many scenarios in which this should help address those situations in which a user with a BYOD device would benefit from accessing what once may have required them to be on a domain-joined device with a VPN client installed.
