So you have been using an MDM platform for some time but now your management has their hands on some Microsoft Intune licenses and want you to perform an Intune migration? It’s a story we are hearing quite frequently these days and we get it – making the most of your licensing investment is something we can all understand.

Moving to Intune is not free though – moving your users across will take time to plan and prepare. Here are some things you will need to consider for a successful Intune migration project…

Apple Business Manager

If you are purchasing Apple devices for your employees then you absolutely want to be integrating Intune with Apple Business Manager (ABM). There are many good reasons you should use the Device Enrolment and Volume Purchasing features of ABM but here’s a few of my favourites

  • Users don’t need an Apple ID to enrol or have apps provisioned
  • Enrolment is much quicker and easier for the end user
  • There are a lot more management controls and security options for devices
  • Using ‘Lost Mode’ you can find devices remotely even if they have their GPS function turned off
Microsoft PowerApps

Android Enterprise

The next Android OS version released by Google will not support Device Admin API’s. For years we have been managing devices – wiping, locking, pushing policy using these old API’s but they will be deprecated and stop working with Android 10 (Q). The only way to manage devices going forward is by integrating with Android Enterprise. So whilst it was optional in the past, this year if you don’t integrate with Android Enterprise, you will lose control of your devices. Google offers a number of different Android Enterprise configuration options which MDM vendors are starting to adopt. These include

Work Managed – Where you enrol and control the whole device – this one is great because users don’t need a Gmail account to enrol or have apps pushed.

Work Profile – With this profile you push enterprise content to a container on a device but the device itself is not managed or controlled – this one is good for BYOD.

COPE – Corporately owned / personally enabled – means you enrol and control the device and push apps but your employees can also add their personal Gmail account and have their own apps deployed separately from the enterprise apps.

Kiosk – A completely locked down device where you are pushing a few apps and the device is not used for anything else.

Intune App Protection policies

If you are deploying Outlook, Word, Excel or any apps built with the Intune SDK then App Protection Policies should be used to ensure your enterprise data is secured on mobile devices. The great thing about App Protection Policies is that you could use them to protect the data and apps without enrolling the device in to Intune MDM or you can layer these policies on top of a managed, secure device. Policies include being able to wipe data remotely from the apps if they are not being used, adding a passcode to the apps, and blocking the movement of corporate data from these apps into unsanctioned, unsecure applications.

Azure Conditional Access

Conditional Access is a great solution if you are using Office 365 and have your devices enrolled into Intune. With Conditional Access you can ensure that only enrolled, compliant devices are allowed to access your corporate data. For example, a clinician’s app could be configured with the Intune APP SDK so that she can view patient data while connected to the hospital WiFi but not when connected to public WiFi in the local coffee shop.  Or the app could be configured to open when the clinician is inside the geo-fence of the hospital but not open when outside that geo-fence.  Layering these controls enables a healthcare provider to achieve very granular control of the security posture with a seamless user experience.

Azure AD Application Proxy

If you still have some on-premise web services, or even data hosted in Azure, the Azure AD Application Proxy can be installed to provide secure access for mobile devices. You can use the Azure AD Application Proxy in conjunction with the managed Edge Browser and Intune App Protection Policies to provide easy access to these resources by publishing bookmarks to important URLs.

These 5 building blocks are just the beginning.  Mobile devices, apps and operating systems are constantly changing so you will need to proactively manage every aspect of your mobile security environment and constantly adapt to stay ahead of the bad guys.