By restructuring their device management strategy with Intune, Michigan Medicine achieved streamlined provisioning and management of over 40,000 devices.
Client Overview:
Michigan Medicine, the academic medical center of the University of Michigan, is a leading healthcare institution headquartered in Ann Arbor, Michigan. Comprising the University of Michigan Health System, the U-M Medical School, and various research centers and clinics, Michigan Medicine offers a wide range of medical services, education, and research opportunities. With a vast digital ecosystem that includes electronic health records, telemedicine platforms, and extensive research databases, Michigan Medicine faces substantial IT security challenges. Protecting patient data, ensuring the integrity of critical medical systems, and complying with stringent healthcare regulations are paramount to maintaining the institution’s reputation and operational effectiveness.
Managing a Windows Environment at Scale
Michigan Medicine built an extensive platform to manage all their clinical workstations over the past couple of decades. This platform was designed to furnish SCCM (System Center Configuration Manager) with the necessary data for provisioning and handling their machines. While this approach worked effectively for Windows hardware, it faced limitations when dealing with smartphones and macOS devices.
With 40,000+ devices and 26,000 users in their environment and a diverse range of use-cases, Michigan Medicine needed a modern solution that could ultimately manage all device types and be future-proof.
A Strategic Partnership
John McPhall, the Senior Director of Enterprise Technology Services at Michigan Medicine, initiated discussions with Microsoft about their technology options, specifically Intune. The Michigan Medicine team was unfamiliar with a specialist partner to accelerate the technical design, build and rollout. This led to a partnership with Mobile Mentor.
Discovery & Analysis
Mobile Mentor carried out a thorough assessment and technical exploration to understand the identity configuration, evaluate the Group Policy Objects (GPOs), deconstruct the process for setting up new devices, review the suite of applications, and understand compliance requirements.
This was a combined effort by the architects and endpoint engineers from both organizations, collaborating closely for several weeks. This approach fostered a productive partnership between Michigan Medicine and Mobile Mentor.
Technical Design
The team at Mobile Mentor then created a technical design to map the existing system settings to the Intune platform, using a profile-based management approach. This effort was also a combined effort, with close cooperation between the identity, engineering and security departments at Michigan Medicine.
Pilot Configuration
After the design received approval, the Mobile Mentor team built a pilot configuration within the Michigan Medicine tenant. To enhance the learning experience, the Michigan Medicine team handled the configuration, while engineers from Mobile Mentor provided guidance and support throughout the process.
Production Build
The pilot was successful in validating the provisioning, deployment and management processes for a new Windows machine. This convinced Michigan Medicine that the strategy was sound, and the focus quickly shifted to a production build and addressing all the change management considerations for both clinical and non-clinical user community.
Knowledge Transfer
The Michigan Medicine team knew that success with Intune, particularly at their scale, would require new skills and extensive knowledge transfer. The last part of the project was a concerted effort to develop knowledge base articles, provide training to the endpoint engineering team and also the service desk team. The Intune platform is constantly evolving, and the knowledge transfer was intended to quickly ramp-up and build the confidence of the team to continue the journey.
Outcomes: Streamlined Provisioning and Management
- Provisioning with Intune and Autopilot – All new Windows machines for non-clinical users are now set up using Intune and Autopilot, streamlining the process.
- Reduced Build Time – The build time for new machines has been significantly reduced, now taking minutes instead of hours or days.
- Automated Deployment – Applications and OneDrive resources are now automatically deployed to users based on dynamic assignment groups.
- Updates and Patching – The Windows OS and applications receive updates and patches automatically, ensuring up-to-date security and performance.
- One Pane of Glass – In a parallel effort, 35,000 mobile devices were successfully migrated from AirWatch to Intune, consolidating device management.
- Centralized Compliance Monitoring – Compliance with IT policies is now monitored and managed from a central location.
Looking Ahead at Clinical Workstations
The next phase of the journey will be the migration of clinical workstations to Intune. That will require a different set of design and build considerations due to the Imprivata authentication to EPIC. Once that is done, Michigan Medicine will have successfully consolidated all endpoints on Microsoft Intune.
About Michigan Medicine
Michigan Medicine brings together world-class experts from research, patient care and education to make groundbreaking discoveries that create life-changing medicine.