Microsoft Intune

Mobile device and application

management from the cloud

Speaker Name
Date
 Mobility is the new normal
52% 90% >80%

52 percent of information 90 percent of enterprises will >80 percent of employees

workers across 17 countries have two or more mobile admit to using non-approved
report using three or more operating systems to support software-as-a-service (SaaS)
devices for work* in 2017** applications in their jobs***
* Forrester Research: “BT Futures Report: Info workers will erase boundary between enterprise & consumer technologies,” Feb. 21, 2013
** Gartner Source: Press Release, Oct. 25, 2012, http://www.gartner.com/newsroom/id/2213115
*** http://www.computing.co.uk/ctg/news/2321750/more-than-80-per-cent-of-employees-use-non-approved-saas-apps-report
What's driving change?

User Devices Apps Data IT

Empowering enterprise mobility
People-centric approach

User Devices Apps Data IT

Enable Protect
your users Unify your environment your data
Why Microsoft? Our mobility solution is different
Access from many devices It’s integrated on common identity

Manage and secure productivity It protects Office better

Preserve existing investments It just works

Support iOS, Android, Windows It’s comprehensive

Protection at all layers Identity, device, apps, data—built in

Enterprise Mobility Suite

Unify identity Manage apps and devices Protect data

Azure Active Directory Azure Rights

Microsoft Intune
Premium Management

Easily manage identities across Manage and protect corporate apps Encryption, identity, and authorization
on-premises and cloud. Single sign-on and data on almost any device with policies to secure corporate files and
and self-service for corporate resources. MDM and MAM. email across phones, tablets, and PCs.
Device management challenges

Traditional PC management

BYOD

CYOD

Regulated devices

Internet of Things (IoT) / Embedded devices

Enterprise mobility management with Intune
Mobile device Mobile application PC management
management management

User IT

Microsoft Intune

Intune helps organizations provide their employees with access to corporate

applications, data, and resources from virtually anywhere on almost any
device, while helping to keep corporate information secure.
Comprehensive lifecycle management
Enroll Provision
• Provide a self-service Company • Deploy certificates, email, VPN,
Portal for users to enroll devices and WiFi profiles
• Deliver custom terms and • Deploy device security policy
conditions at enrollment settings
• Bulk enroll devices using Apple • Install mandatory apps
Configurator or service account • Deploy app restriction policies
• Restrict access to Exchange email • Deploy data protection policies
if a device is not enrolled

User IT

Retire Manage and Protect

• Revoke access to corporate • Restrict access to corporate
resources resources if policies are violated
• Perform selective wipe (e.g., jailbroken device)
• Audit lost and stolen devices • Protect corporate data by
restricting actions such as copy, cut,
paste, and save as between Intune-
managed apps and personal apps
• Report on device and app
compliance
Enable users to be
productive
Enroll devices to access corporate resources

User IT
Microsoft Intune

Actions upon device enrollment

• Deploy email, VPN, and WiFi profiles
Devices
• Deploy certificates
enrolled • Deploy and install apps
• Deploy managed app configuration policies
• Apply and enforce device configuration settings
• Collect hardware and software inventory data
Email profile management
Corporate email server
Any email service supported by Exchange ActiveSync

User IT

Microsoft Intune

Deploy email profile upon enrollment

• Configure account settings and security restrictions
• Enable certificate authentication
• Synchronize email, task, contacts, and calendar
• Support for iOS, Samsung KNOX, and Windows Phone
Microsoft Passport management for Windows
10
Microsoft Passport replaces passwords with strong two-factor authentication to
help protect user identities and user credentials
• Credentials protected by hardware or software
• Credentials can be based on certificate or local keys
• Can be accessed using biometrics (Windows Hello) or PIN

Intune provides comprehensive management of

Microsoft Passport
• Intune can deploy certificates to Microsoft Passport to
authenticate users and help them to access corporate
resources
• Intune manages Passport for Work policy including PIN
settings, biometrics settings, Trusted Platform Module
(TPM) requirements
Azure AD Join for Windows 10
Azure AD Join makes it possible to connect
work-owned Windows 10 devices to your
company’s Azure Active Directory.
With Azure AD Join, you can auto enroll
devices in Microsoft Intune for management. Intune / MDM
auto-enrollment

Intune auto-enrollment On-premises apps

Windows 10 Azure AD
Enterprise-compliant services Joined Devices

Single sign-on from the desktop to cloud

and on-premises applications with no VPN
Support for hybrid environments
Manage a broad set of apps with EMS

Azure AD Premium Intune RemoteApp

SaaS apps Native apps Windows apps

anywhere
Company portal self-service experience
Consistent experience across Windows,
Windows Phone, Android, and iOS
Discover and install corporate apps

Manage devices and data

Customizable terms and conditions

Ability to contact IT
Volume purchasing
Purchase licenses in bulk for paid
apps using the Windows Store for Volume purchasing integration
Business and Apple Volume
Purchasing Program (VPP)
Assign licenses to users
Deploy licenses to users with License and app
Intune and install apps as required installed by store

Deploy offline app packages to

Windows 10 devices that cannot
access the Windows Store with
System Center Configuration
Manager
Corporate- Corporate-owned devices
(CYOD), with personal use
Retail outlets using tablets
as point of sales devices,
owned allowed gift registries, etc.

devices
Schools providing
tablets for technology-
based learning
Bulk enrollment options

Service account Apple Apple Device Windows 10

enrollment Configurator Enrollment Program provisioning profile
(DEP)
Device lockdown

Restaurant School Retail Store

Business IT
Manager

Apply policies

Deploy policies using Intune to lock down devices so

they can only run applications allowed by IT

Allow multiple users to use the same device and

customize device experience based on identity
Deploy Device Guard policies using Intune to only allow
trusted applications to run on Windows 10 devices
Protect corporate data
from virtually anywhere
Control access to corporate data

On-premises
Mobile devices

Devices Apps
PCs Data Apps
Users Data

Web browsers

Access
The control cannot
perimeter to corporate data today
help protect data stored in the cloud
Protect data in a mobile-first, cloud-first world

On-premises Managed cloud

Enterprise
Mobility Suite
Devices Apps

Users Data

SharePoint Exchange
Online Online

Access control and data protection

integrated natively in the apps, devices,
and the cloud
Conditional access with EMS
Conditional Corporate
access policies apps

IP Range

Device State
User
Cloud
Advanced
Windows 10
options

User Group
On-premises
Conditional access
Policy compliance verification

SharePoint Exchange Device management

Online Online
Device compliance

User
Measured boot integrity status
(Windows PPCH)
Policy
verification Advanced device compliance
(antivirus, firewall, patch state, etc.)

Windows 10

Microsoft Intune

Windows
Provable PC
Health (PPCH)
Mobile device management
Apply and enforce device configuration settings across iOS,
Android, and Windows via Intune MDM

Manage settings across Windows 10 PC, phone, and IoT devices via Intune MDM –
including Windows Defender (anti-malware), Firewall, and Cortana

Collect hardware and software inventory data for reporting

Mobile application management policies

Enforce corporate data Prevent data leakage Enforce encryption App-level

access requirements on the device of app data at rest selective wipe
Mobile application management
Multi-identity policy
Managed
Managed apps
apps
Corporate
data

Personal
User data IT

Maximize mobile productivity and protect corporate resources

with Office mobile apps – including multi-identity support

Extend these capabilities to your existing line-of-business apps

Personal apps using the Intune App Wrapping Tool

Enable secure viewing of content using the Managed Browser,

PDF Viewer, AV Player, and Image Viewer apps
Manage mobile productivity without device enrollment

MAM
policies Corporate apps

Enable familiar Office experiences

for employees. No enrollment.
Azure Rights
Management
Prevent data leakage for Office
mobile and other apps on
File unmanaged devices or devices
policies managed by a third-party MDM.

Protect data at the file level for

Office documents and more with
Azure Rights Management.

MDM – optional Personal apps

(Intune or 3rd-party)
MDM
policies
Manage mobile productivity without device enrollment

MAM Familiar Office experience

policies Corporate apps • Seamless “enrollment” into app management
• Use for personal and corporate accounts
Comprehensive protection
Azure Rights • App encryption at rest
Management • App access control – PIN or credentials
• Save as/copy/paste restrictions
File • App-level selective wipe
policies
MDM mgmt. by Intune or third-party is optional

Extend protection to a file level with Azure RMS

Might be a good solution for these scenarios:

• BYOD when MDM is not required
• Extending app access to vendors and partners
MDM – optional Personal apps
• Already have an existing MDM solution
(Intune or 3rd-party)
MDM
policies
MAM without enrollment architecture
1 User installs an app from the Apple
App Store or Google Play

2 User logs in with Office 365

Office 365 credentials

3 Azure AD verifies that the app and

user are allowed to access Office 365
Azure AD
4 Intune applies MAM policies to the
managed apps

5 Access to Office 365 is granted

User
6 User continues to use the app as per
usual
Intune app partners
Microsoft apps, such as Office, Dynamics CRM, Power BI, and more

Partners that integrated their apps with Intune App SDK

Selective wipe
Managed apps

IT
IT

Perform selective wipe via self-service

company portal or admin console

Remove managed apps and data

Personal apps
Keep personal apps and data intact
“Enterprise data protection” for Windows 10
Configure and manage EDP policies with Intune
and Azure Rights Management Microsoft Intune
&
Separate personal and corporate data with Azure Rights Management
limited impact to employee’s day-to-day activities

Apply policies
Control app access to corporate data and
prevent copy and paste-related data leaks
Save
File share
Protect data at rest and wherever it may
roam*
User
Secure content collaboration through Save Personal
integration with Azure Rights Management storage

Share files and

enforce policies

Corporate
network
* Some roaming scenarios use Azure Right Management
Protect corporate data with Windows 10
Device protection Data separation Leak protection Sharing protection

BitLocker Enterprise Rights

Device Guard Data Protection Management

Device settings
Windows
Defender

Microsoft Intune Microsoft Intune Azure Rights Management

Typical EMM stack

Standard MDM provides

device configuration and Native device MDM
management
DMZ/ Corporate
Mobile application Perimeter network
management network

Custom data container

provides mobile productivity Containers
Active Directory

Firewall
Firewall
apps integrated with content
and access systems
Custom Custom Custom Depends on
email app collab app file app specific DMZ
infrastructure

Works on- Exchange SharePoint

premises only Server Server
Custom SDK/wrapper
enables line-of-business SDK/wrapper, managed browser,
apps to be managed managed viewers
Microsoft’s EMM stack

Intune: Cross-platform MDM Cloud integration

Native device MDM
SharePoint Exchange
Online Online
Managed Office
Office 365: Mobile productivity and more
productivity
Azure AD: Access control to DMZ/ Corporate
Office 365 and SaaS apps Perimeter network
Intune: App restrictions for network
Office mobile and LOB apps Standard
on-premises
Azure Rights Management: integration
Information protection at the Active Directory

Firewall
Firewall
file layer

Extensibility based on Azure

AD and Intune Enable business Intune App SDK
apps to interoperate with Office Intune App Wrapping Tool
mobile apps
Exchange SharePoint
Server Server
Multiple layers of protection

User IT

Identify and authorize user

Active Directory Premium

Apply device policies

Enterprise Mobility Suite

Apply application policies

Apply content policies Rights Management

 Deployment Modern

Summary
flexibility architecture

Enable
enterprise mobility with
EMS
Deployment flexibility
Intune standalone (cloud only) Configuration Manager integrated with Intune (hybrid)

IT IT

Intune web console Configuration Manager console

System Center
Configuration
Manager

Mobile devices and PCs Domain joined PCs Mobile devices

Architecture matters

• Always up-to-date, no need to migrate

Always available and reachable
Azure
•

• Easy to try, adopt, and deploy

Active Directory • Integrates with existing on-premises infrastructure
• Disaster recovery and geo-diversity
Azure • Assign your data to a region
Intune Rights Management • Built from the ground up: datacenter, fabric, SaaS
• Built using world-class engineering and security

Office 365 • Compliant and certified

• Financially backed Service Level Agreements (SLAs)
Enterprise Mobility Suite

Identity and Security reports, Self-service Single sign-on

audit reports, password reset to over 2,400
access multi-factor and group popular SaaS
Active Directory Premium

management authentication management applications

Mobile device Mobile device Mobile application Conditional

and application settings management with access and
management Office mobile apps
management selective wipe

Information Information Document tracking Bring your

protection own key
protection Rights Management
One vendor. Unified solutions.

Making it easier to deliver Keeping the selling workforce Bringing a new level of
a great brand experience productive efficiency to management
Next Steps
 Sign up for a free trial: aka.ms/IntuneFreeTrial  Learn more about our enterprise mobility products
and solutions:
 Request an enterprise mobility proof-of-
concept from your account team or partner  Enterprise Mobility Suite:
aka.ms/EnterpriseMobilitySuite
 Find a partner with competency in devices,
 Mobile device and application management:
deployment, identity, and access
aka.ms/MDM-MAM
 Take advantage of your  Microsoft Intune:
Software Assurance Planning Services benefits aka.ms/MicrosoftIntune
 System Center 2012 R2 Configuration
Manager: aka.ms/ConfigMgr
alias@Microsoft.com
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the
part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Appendix

46
Mitchells and Butlers, a pub and
restaurant company, boosts service and
satisfaction with mobile device and
application management.
“By using Microsoft Intune, we can
improve staff members’ work experience
and guest satisfaction, while reducing IT
labor and operational costs. Everyone
wins.”

Tim Banham
Solution Architect
Mitchells and Butlers
Empire Today, a national flooring
company, uses mobile device
management to expedite sales and
boost efficiency.
“Our competitive strategy depends on
deploying Microsoft Intune to manage
1,200 tablets used by our independent
sales contractors to improve our in-
home sales process and win more
business.”

Steven Creaney
Senior .NET Developer
Empire Today
Foxtons, a real estate agency, boosts
business, customer service, with
remotely managed solution.

“By adding Microsoft Intune to our

environment … we can deploy, secure,
and manage mobile apps that staff use
to move faster than the competition and
drive business.”

Gurdip Kundi
Senior Systems Engineer
Foxtons
 The Walsh Group, a Chicago-based
construction firm, uses cloud-based
tools to advance mobility and
productivity
“We use the Enterprise Mobility Suite to
empower employees to use their own
devices to securely access and share
their data. The upshot? We’re improving
project management and reducing
costs.”

Patrick Wirtz
Innovation Manager
The Walsh Group

A rendering of the new Tom Bradley International Terminal’s great hall. (credit: Los Angeles World Airports)
Empowering enterprise mobility

Devices Apps Data

User IT

Enable Protect
your users your data

Management. Access control. Information protection.

Managed email and productivity

Identity

Device (optional)

Application

Data
Microsoft Passport management for Window 10

Microsoft Intune

Deploy a certificate and

Microsoft Passport settings

Authenticate and
trust my unique key
Access corporate Azure Active Directory
resources and
Authentication
token Active Directory
Why CYOD?
IT admins End users

 Need easy way to prepare corporate-  Need fast and easy way to enroll CYOD
owned devices for enrollment devices
 Need to distinguish corporate-owned  Should not be able to un-enroll devices
devices from personal-owned devices in that are corporate-owned
the management console  Need access to corporate apps and
 Need fast and easy way to bulk enroll other MDM capabilities on devices to
shared devices be productive
 Need devices to be secure at all times
and within IT control

IT User
Evolution of mobile device management in Windows
Significant investments in added functionality for both mobile and desktop devices

Comprehensive
device management

Device lockdown

Basic management and

security settings
Phone Desktop Phone Desktop

Windows 8.1 Windows 10

Mobile application management
Managed apps

Email
attachment

User
Copy Paste Save

Paste to Save to
personal app personal storage

Personal apps
Maximize productivity while preventing leakage of company
data by restricting actions such as copy, cut, paste, and save
as between Intune-managed apps and unmanaged apps
Manage devices from virtually anywhere
New intuitive dashboard

Respond to alerts

Manage software deployments

Configure and deploy policies

View reports

Role-based management

Intune web console

Deployment flexibility
Intune standalone (cloud only) Manage and Protect
• No existing infrastructure necessary
• No existing Configuration Manager
deployment required
IT
• Simplified policy control
Intune web console
• Simple web-based administration console
• Faster cadence of updates
• Always up-to-date

Devices Supported
• Windows PCs (x86/64, Intel SoC)
• Windows RT
• Windows Phone 8.x
• iOS
• Android
• OS X
Mobile devices and PCs
Deployment flexibility
System Center 2012 R2 Configuration Configuration Manager integrated with Intune (hybrid)
Manager with Microsoft Intune
• Build on existing Configuration Manager
deployment
IT
• Full PC management (OS deployment, endpoint
protection, application delivery control, custom Configuration Manager console
reporting)
•Deep policy control requirements
•Greater scalability
• Extensible administration tools (RBA, PowerShell,
SQL reporting services) System Center
Configuration
Manager

Devices Supported
• Windows PCs • Windows RT
(x86/64, Intel SoC) • Windows Phone 8.x
• Windows to Go • iOS
• Windows Server • Android
• Linux
• OS X
Domain joined PCs Mobile devices
PC management

Intune standalone (cloud only) Configuration Manager integrated with Intune (hybrid)
Lightweight, agentless OR agent-based management Lightweight, agentless OR comprehensive agent-based management
PC protection from malware PC protection from malware
PC
PC software
software update
update management
management PC software update management
Software
Software distribution
distribution Software distribution
Proactive monitoring and alerts
Proactive monitoring and alerts Proactive monitoring and alerts
Hardware and software inventory
Hardware and software inventory Hardware and software inventory
Policies for Windows Firewall management
Policies for Windows Firewall management Policies for Windows Firewall management

Operating system deployment

PC, mobile device, Windows Server, Linux/Unix, Mac, and virtual desktop management
Power management
Custom reporting
Settings management

User

Comprehensive security Extensive configuration Reporting available on Policies can be applied to

policies are enforced on settings are available for each setting whether it is user and device groups
each platform each platform applicable, conformant or
has an error
VPN profiles

VPN Automatic VPN Per-app VPN (iOS)

connection
WiFi and certificates

WiFi settings Manage and distribute certificates

Provision networks
Setup certificate based authentication
Mobile device inventory

Hardware properties for mobile

devices are collected

User IT

Company app inventory is collected

Personal app inventory is not collected
Reporting
Conditional access for Office 365
Who does what? vice
m ana
ged
ant
?
Is de compli 2 Azure
&
Intune: Evaluate policy Active Directory
te
e st a Set device
compliance for device r n de
vi c
6 management/
Retu
Office 365 compliance
3 status
Azure AD: Authenticate
user and provide device
compliance status If not compliant,
push device into
4 quarantine
Attempt
Exchange Online: email 1 Microsoft Intune
connection
Enforces access to email Quarantine

based on device state 7

If compliant,
Quarantine email with
email access is
granted
remediation steps 5
Link to enroll device Enrollment /
and compliance compliance
remediation steps remediation

Mobile device
Conditional access for Exchange on-premises
Allow managed
device
5

On-premises 1
Microsoft Intune
Who does what? Exchange
server
Block unmanaged
device

Intune: Evaluate and

manage device state Attempt
If not managed,
push device into
email 2 6 3 quarantine
Exchange Server: connection
Device
Provides API and Quarantine 4 enrollment
infrastructure for If managed,
quarantine email access
is granted

Quarantine email with

remediation steps

Link to enroll device

Mobile device
Paths to managed applications
Intune App Wrapping
Office mobile apps Intune Viewer apps Intune App SDK
Tool

Microsoft Office mobile Intune provides apps for Make any app manageable Build your apps from the
apps are natively secure content viewing without modifying code ground-up with Intune
manageable with Intune App SDK
• Word • Managed Browser • ‘Wrap’ internal line-of-
• Developers can easily
• Excel • PDF Viewer business (LOB) apps to
manage with Intune integrate applications for
• PowerPoint • AV Player manageability
MAM policies
• OneNote • Image Viewer • Provide more control
over user experience
• Outlook
with App SDK (vs. App
• OneDrive for Business Wrapping Tool)
Making applications manageable
Intune App Wrapping Tool Intune App SDK

Allows you to apply Intune MAM policies to Enables additional options to manage internal
existing line-of business (LOB) apps: apps with Intune MAM policies:
• Post-compilation command line tool for IT Pros • Intune App SDK and App Wrapping Tool use the same
processing and enforcement engine
• Supports repackaging unencrypted applications
• SDK can be used for both LOB apps and store apps
• Applications are signed with company-specific certificates
• Enables additional MAM functionality over the app than the
App Wrapping Tool (for example: disable save as
Intune App Wrapping Tool: functionality of the app)
• Platform-specific tools for iOS (Mac OS X 10.8.5+) and
Android (Windows)
• Published by Microsoft (available on Download Center)
• Product documentation and in-tool command line help
Steps for protecting LOB apps

Intune
app wrapping tool
or SDK
User IT

LOB application

Deploy app Apply MAM policies

Application delivery options
Windows Windows
App origination Scenarios iOS Android
8.1/10 Phone 8.1

Line-of-business apps Available in Company Portal; targeted to ● ● ● ●

(Sideloading) users

Mandatory install and uninstall; targeted ● ● ● ●

to users and devices
User consent User consent
required required

Public store apps Deep linked app; available in Company ● ● ● ●

Portal; targeted to users
Managed store app; available in Company ● ●
Portal; targeted to users

Managed store app; mandatory install ● ●

and uninstall; targeted to users and
devices User consent User consent
required required
Flexible management of public store apps
External/Deep linked apps Managed store apps

• End user is taken to the store for installation • No trip to the store; installation begins directly

• Installation status is not reported in the admin • Installation status is reported in the admin console
console
• Push apps; apps can be installed directly.
• IT Pro can only make it available in Company Portal
• App on the device is marked as a managed app in
• App on the device is marked as a personal app in the inventory
inventory
• Works only for free store apps
• Works for both free and paid apps
• MAM policies can be applied
• MAM policies cannot be applied
Options for corporate data removal
Full wipe Selective wipe

Restore device to factory defaults Remove company assets from device

• All data on the device is removed • Company resources (apps, data, profiles,
certificates, settings, and email) are removed
• Device is reset to factory defaults
• MAM support adds ability to remove only
• Typically used for lost/stolen devices or resetting
corporate data from multi-account applications
corporate-owned devices
• Typically used for personal-owned devices
Managed corporate-owned devices
Bulk enrollment Configuration policies

• Bulk enroll devices with a service account • Custom iOS policy

• Support for Apple Configurator • Device lockdown

• Support for Apple Device Enrollment Program • Policies and apps targeted to devices

• Windows 10 provisioning profiles • Application install allow/deny list

Bulk enrollment with a service account

Business IT
Manager
Apply policies

Enrolls devices
on behalf
of users Distributes
to users Restaurant School Retail Store
Bulk enrollment with Apple Configurator
iOS devices will
automatically enroll on
first power on

User IT
Export device enrollment
profile from Intune

Configure iOS
devices with the Import to Apple
Apple Configurator Configurator
Apple Device Enrollment Program (DEP)

User IT
Custom iOS policy

User IT

Deploy a custom Import the custom Export a custom

policy to iOS devices configuration file to configuration policy
Intune from Apple
Configurator
 Allow or block apps
Prevent unauthorized apps from being used on devices

Platform Allow/block enforcement

Windows 10 Enforced by device OS (always compliant)

Windows Phone 8.1 Enforced by device OS (always compliant)
iOS Audit reporting
Android Audit reporting
Application update options
Windows Windows Installation Application
App origination Scenarios iOS Android
8.1/10 Phone 8.1 status update
Line-of-business Available in Company
● ● ● ● ● ●
apps (Sideloading) Portal; targeted to users
Mandatory install and ● ● * ● ●
uninstall; targeted to
User consent User consent
users and devices
required required
Public store apps Deep linked apps;
available in Company ● ● ● ●
Portal; targeted to users
Managed store apps;
available in Company ● ● ●
Portal; targeted to users
*
Managed store apps; ● ● ●
mandatory install and
User consent User consent
uninstall; targeted to
required required
users and devices
Mobile device setting categories in Intune
Category Win 8.1/10 Windows iOS Android/KNOX Exchange
Phone 8.1 ActiveSync
Password ● ● ● ●
Encryption ● ● ●
Malware ●
System Settings ● ● ● ●
Cloud ● ●
Window Server Work Folders ●
Accounts and Sync ● ●
Email ● ● ●
Browser ● ● ● ●
Store Applications & Gaming ● ● ●
Device Hardware ● ● ●
Device Cellular/Roaming ● ● ●
Device Features ● ● ●
Note: Specific capabilities depend on platform
Software distribution summary
Modern App Types
Managed
Desktop Apps Side loading
Platform Deep Web Store
(.msi, .exe) *
.app .app .ipa .apk Links apps app

Windows 8.1/10 ● ● ● ●

Windows RT ● ● ●

iOS ● ● ● ●

Android ● ● ● ●

Windows Phone ● ● ●

Windows 7 and below ● ● management client

* = With full Microsoft Intune
Compare Microsoft Intune to MDM for Office 365
Category Feature Exchange MDM for Microsoft Intune Intune + ConfigMgr
ActiveSync Office 365 (cloud only) (hybrid)
Inventory mobile devices that access corporate applications ● ● ● ●
configuration

Remote factory reset (full device wipe) ● ● ● ●

Device

Mobile device configuration settings (PIN length, PIN required, lock time, etc.) ● ● ● ●
Self-service password reset (Office 365 cloud only users) ● ● ● ●
Provides reporting on devices that do not meet IT policy ● ● ●
Group-based policies and reporting (ability to use groups for targeted device configuration) ● ● ●
Office 365

Root and jailbreak detection ● ● ●

Remove Office 365 app data from mobile devices while leaving personal data and apps intact (selective wipe) ● ● ●
Prevent access to corporate email and documents based upon device enrollment and compliance policies ● ● ●
● ●
app management

Self-service Company Portal for users to enroll their own devices and install corporate apps

App deployment (Windows Phone, iOS, Android) ● ●

Deploy certificates, VPN profiles (including app-specific profiles), email profiles, and Wi-Fi profiles ● ●
Prevent cut/copy/paste/save as of data from corporate apps to personal apps (mobile application management) ● ●
Secure content viewing via Managed Browser, PDF Viewer, Image Viewer, and AV Player apps for Intune ● ●
obile device &