What is Client Management - Part II

August 12, 2015

Windows Intune

Pros: Mobile Device Management, Easier-to-use management interface, cloud-based (no internal infrastructure needed), licensing model

Cons: Limited reporting capabilities, no task sequencing, overall "lag," No OSD, cloud-based.

Ahh, Intune. This is quickly becoming a buzzword for most, but to me, it's becoming a second love (shh ... don't tell SCCM). Intune is Microsoft's answer to cloud-based client management. I like the call Intune "SCCM-lite." It does a lot of what SCCM can do, but it's in the cloud and there are some limitations. It's targeted at smaller companies that may not have the means to support a heavy hierarchy like SCCM, or the administrative staff to support all the facets that SCCM has to offer, but need a form of client management to push software, patches, endpoint protection, compliance, and even manage mobile devices.

You'll notice I added "cloud-based" as a pro and a con at the beginning of this section – that's because depending on who you ask, this could be a pro or a con. Personally, I prefer to have my client management servers on premise so I can monitor logs, performance, etc. This is a personal preference, however. 

What's that? Mobile device management? You mean we can allow our users to bring their beloved iOS, Android, and WMP devices into the company and not have to worry about any sensitive data leaking? That's the main feature of Intune, in my opinion, but mainly because I use Intune in cahoots with SCCM to extend our management into mobile devices and support a BYOD movement we've been having internally.

Aside from MDM, Intune gives you a nice web-interface to manage your devices. You can push software, approve and deny Windows updates, give access to company resources, and configure configuration settings that can be enforced on the clients. All of these are actually pretty easy to configure – the web-interface almost walks you through these steps and the overall look and feel isn't as jarring as it once was. They've really designed this tool with their customers in mind, I have to say. Where it might take an SCCM Administrator months or more to feel confident in a couple facets of SCCM, the same can be said about Intune, but scale your learning curve back to only a couple days. Granted, Intune doesn't offer as much as SCCM – it can't image a device, its reports aren't as robust, inventory is a comparatively limited to SCCM – but it's a wonderful tool if you're not looking for the missing aspects.

There's two paths to using Intune – standalone and hybrid. Standalone is managed on the web-interface and hybrid is managed in SCCM. Standalone has a couple of benefits over hybrid since it literally lives on the internet. Microsoft has taken a rather aggressive approach on this front and taking advantage of this cloud-based management software by releasing updates and new features on a monthly basis. Microsoft is also actively listening to their customers of the product and trying to build the best tool it can offer.

In hybrid-mode, Intune offers more functionality to SCCM, allowing mobile devices to be managed with SCCM – giving you that single pane of glass for client management. As I am writing this blog, Microsoft has yet to release the ability to push AppStore software to iOS devices in SCCM, but you can make them available in the Company Portal. This is great because if your users already know how to use their favorite mobile device, the learning curve is minimal – most people know how to open a store and install an application nowadays. Also, applications deployed using this methodology can be managed. You can tell the application to launch a VPN in the background as to let it access internal resources, or if that user leaves the company, you can optionally wipe the device entirely, OR, you do what's called a "selective wipe" where all the things you once gave them access too – the apps in the Company Portal, the companies WiFi profile, VPN profile, all of that – can be stripped away in a single click. This leaves their favorite cat pictures intact and on the phone. Microsoft has really done a great job at drawing a distinct line between personal data and company data with this tool. It's only promised to get better as time goes on.

Another great feature of Intune is the subscription model. It's based on users. If you have 300 users, you buy 300 licenses and each of your users are allowed to have up to five (5) devices managed by Intune. Be it a full-blown Windows workstation, or an iOS device. This alone has sparked much interest to a lot of Microsoft's customers.

Intune, since it's cloud-based, only allows the clients to check-in every eight (8) hours. To me, this isn't quick enough. Being able to turn up that frequency would be great in my personal opinion.

My latest issue with Intune is that it might be over-sold at times. I recently used Intune to do a major migration from GroupWise to Office365 for a customer and ran into headaches along the way. The main headache was the fact that Intune can't execute a series of application installs in a needed series of steps like SCCM can. With SCCM, I can create a Task Sequence that does A-B-C and X-Y-Z to complete all needed steps on a workstation. With Intune, I tried to mimic this behavior by deploying the applications and specifying the execution time gapped by 30 minutes, but it didn't work out that way. Instead, Intune grabbed all the pending software installs and installed them as he saw fit. This led to misconfigured machines during the migration and a headache to correct. Lesson learned; do not try and get too much out of too little. Also, Intune is not capable of running tasks "as user." Intune can only do things "as SYSTEM" and as such, user-specific configurations and/or installations don't work.

In closing, Intune is a great product and can carry your basic load of client management needs. I know Microsoft is diligently working to make it better and I hope they can keep working on it until it's basically SCCM-in-the-cloud. But for now, this has been my piece, I hope this has been informative for you.. stay tuned for part III.

