A First Foray into THE CLOUD via Intune (#3 in a series)

The moving parts of Intune: Can any be mapped to Configuration Manager?

My previous post in this series gave a basic introduction of Intune and provided several scenarios that described how to implement some of the features themselves. Those scenarios and others like them that are being published continually should show clearly how the elements of Intune work. I don’t want to get into a “check-box battle” simply highlighting what one product does versus another. I believe that these scenarios do an excellent job of explaining the feature set of Intune.
I also believe that an effective learning technique to help you transition from what you know to what you don't (or need to) know is by introducing features in a loose comparison fashion, but in the end it’s likely most effective for the reader to make use of  the various scenarios as done earlier in this series that illustrate how to enable a management capability with Intune. That said, let’s compare some of the information in my original reference blog and see if any of that loosely compares to traditional Configuration Manager. The key to your success and understanding will be following the guidance provided in those referenced scenarios outlined in #2 in this series, and others like them.

Mobile Device Mgmt (MDM)

“..enroll devices (to) …provision, configure, monitor, and take actions on devices”
This statement appears to me to sound a lot like deploying a client in Configuration Manager to manage the on-prem device. But wait!!! When creating users in an Intune standalone tenant (that are associated with a device), you are actually creating them in Azure Active Directory. Is this akin to creating a domain user in AD Users & Computers? NO! You now get the whole subscription and licensing thing inherent in Intune, none of which is touched on in this introductory series! We are now working in The Cloud, people! This turns the old school model on its head a bit, apparently. It’s not as easy as just creating the Intune user because there’s other stuff happening.
Now, thinking of AD in the context of the “premium” level of Azure AD, things get even more confusing. In that world, you can do hybrid identity management, on-prem AD and cloud AD, or just move it all to the cloud. The big play here comes when tackling the shared device scenario mentioned earlier.
Corporate phone management also falls here and under Mobile Application Management (MAM) that follows in the next section.

Mobile App Mgmt (MAM)

“..publish, push, configure, secure, monitor, and update mobile apps”
This is the functional area where corporate management of BYOD lands. The corporate phones also align here and in the MDM space discussed earlier. This appears to be loosely aligned to the traditional Configuration Manager elements of software distribution, client agent settings management, and the status messaging subsystem.

Mobile App Security

“..managing mobile apps (by) ..isolating personal data from corporate data and allowing the corporate data to be selectively wiped”
This appears to be roughly analogous to Configuration Manager Role-Based Administration, perhaps as it is applied at the Configuration Manager collections level. There is not an obvious 1:1 mapping relationship here if any exists at all. This element provides the implementation of that concept of sandboxing the corporate data separately from personal data on the device as discussed in #2 in this series. 

It’s all about scenarios

I’ve made several references to existing “scenarios” already published in “Common problems solved”, described in #2. It's important to note that Microsoft experts in this field are continually adding more scenarios over time, so it’s important to keep on the lookout for them. From what I’ve discerned thus far, it appears that in the end, it comes down to managing by implementing the processes outlined in these scenarios, but tailored to meet your needs or environment.
Whether you use Configuration Manager or Intune, as an administrator you are continually confronted with implementing any number of different scenarios to manage your estate. Different scenarios encompass different requirements, some of which are one-off, but many are different variations on common themes. Look for a wide range of scenarios to be forthcoming from Microsoft for effective use of EMS, and Intune specifically. I highlighted the link Start Using Enterprise Mobility + Security (Jeff Gilbert) in #2 in this series. Think of this as your living cheat sheet to all things related to getting started with EMS (of which Intune is but one part).

OK, so now what?

As the author of my source blog stated in her summation, and as I’ve tried to expand upon throughout this series, the major elements of Intune are broken down into managing devices (MDM); managing the applications on/for those devices (MAM); and security to tie it and users all together (Mobile app security)
Complicating the implementation of the above premise, however, is the very real concept of subscriptions, licensing and all that entails, which is well beyond the scope of this post
The author also suggests making use of these tools in various combinations to effectively manage the estate, depending on the various scenarios necessary to meet your needs. To my way of thinking, this is not at all unlike using traditional Configuration Manager. In that world, the Administrator calls into play any number of discreet components or features to accomplish a given task (or as we’ve introduced here with Intune, a scenario).
In the end, the flexibility of Intune allows any number of unique adaptations based on the needs of the enterprise, including allowing various ways to adopt Intune in the first place:

  • Do you migrate the entire estate all at once?
  • Do you wish to manage just (all? some of?) the apps only while you’re managing the devices with AirWatch or MobileIron today?
  • Do you choose to implement Intune in the standalone mode for BYOD devices while domain joined devices continue to be managed by Configuration Manager?

In general terms, if a device is domain joined, think of Configuration Manager as the systems management platform of choice today; otherwise, think of Intune as a viable management platform for the short-term management of those other devices.
As a first step scenario, you can also think of Intune as a viable cloud-based management platform for your road warriors, and the BYOD crowd. This provides a better overall customer experience than can be gained with Configuration Manager alone today. For some added clarity around which platform should be used for what, refer to this blog: Path to modern Windows Management with Microsoft Intune (Jeanie Decker (et al)

What’s Coming Next

As I continue this series of blogs, I plan on a review of the overall architecture necessary to stand up Intune in the first place; and then to actually get into the solution for a test drive.