Intune for Beginners: Device Management Without Enterprise Complexity

Why Device Management Matters for Mid-Market Companies Too

Device management sounds like a large enterprise topic: thousands of devices, global rollouts, complex policies. Yet even a company with 30 laptops and 50 smartphones faces the same fundamental challenges: Are the operating systems up to date? Is disk encryption active? Is a current antivirus running? What happens when a laptop is stolen?

Without centralized device management, you have to answer these questions manually for each individual device. The IT admin walks through the offices checking settings or trusts that employees install their updates. That works with 10 devices; with 50 it becomes unwieldy; and with BYOD devices (personal smartphones used to read business emails), you have no control at all.

Microsoft Intune solves exactly this problem: it manages endpoints centrally via the cloud, defines security requirements through policies, and enforces them automatically. And since Intune is included in Microsoft 365 Business Premium, you likely already have it licensed without using it.

What Can Intune Do?

Intune is a Unified Endpoint Management (UEM) that combines the management of desktops (Windows, macOS) and mobile devices (iOS, Android) in one platform. The core capabilities:

Mobile Device Management (MDM):

• Register (enroll) and inventory devices
• Define and enforce compliance policies
• Distribute configuration profiles (Wi-Fi, VPN, email, restrictions)
• Control operating system updates
• Remote actions: lock device, wipe device, reset passcode
• Enforce encryption (BitLocker, FileVault)

Mobile Application Management (MAM):

• Distribute and update apps on devices
• App configuration policies (e.g., email server settings in Outlook)
• App Protection Policies: protect corporate data within apps without fully managing the device
• Selective wipe: remove corporate data from apps without touching personal data

Conditional Access Integration:

• Device compliance as a condition for accessing cloud apps
• Only compliant devices gain access to Exchange, SharePoint, Teams, etc.
• For unmanaged devices: App Protection Policies as an alternative condition

Enrollment: Registering Devices

Windows Enrollment

There are several enrollment methods for Windows devices, depending on the situation:

Windows Autopilot (recommended for new devices): New devices are automatically enrolled in Intune, configured, and provisioned with the necessary apps on first boot. The employee starts the new laptop, signs in with their corporate account, and the device configures itself. No IT touch required (Zero Touch Deployment).

Prerequisite: The hardware IDs of the devices must be registered with Microsoft in advance (via the hardware vendor or manually).

Entra ID Join (recommended for existing devices): Existing Windows devices are joined to Entra ID and automatically enrolled in Intune. The user goes to Settings > Accounts > Access work or school > Connect and signs in with their corporate account.

Hybrid Entra ID Join (for organizations with on-premises AD): Devices remain in the local Active Directory and are additionally registered in Entra ID and Intune. This method is suitable for organizations that have a local AD and cannot replace it immediately.

macOS Enrollment

macOS devices can be registered via Apple Business Manager (ABM) or the Company Portal app. The ABM method is recommended for new devices; the Company Portal method for existing devices.

Mobile Enrollment (iOS and Android)

iOS: Via Apple Business Manager (ABM) for company-owned devices or via the Company Portal app for BYOD.

Android: Via Android Enterprise with various profiles:

• Fully Managed: Company-owned devices, full control
• Work Profile: BYOD devices, separate work profile alongside the personal profile
• Dedicated Devices: Kiosk devices (e.g., warehouse scanners, info terminals)

Enrollment Recommendation for Mid-Market Companies

For a mid-market company with 50–200 employees, I recommend the following approach:

• Windows laptops: Entra ID Join for existing devices, Autopilot for new devices
• macOS: Company Portal for existing devices, ABM for new devices
• Company smartphones: Fully Managed (iOS) or Work Profile (Android)
• BYOD smartphones: No enrollment; instead, App Protection Policies (MAM without Enrollment)

Compliance Policies: The Minimum Requirements

Compliance policies define the minimum requirements a device must meet to be considered "compliant." Non-compliant devices are flagged and can be blocked from accessing corporate data through Conditional Access.

Windows Compliance Policy

Device health:

• BitLocker encryption required: Yes
• Secure Boot enabled: Yes (prevents bootkits)
• Code Integrity enabled: Yes

Operating system version:

• Minimum OS version: Windows 10 22H2 or Windows 11 23H2 (adjust to current version)
• Recommendation: Set the minimum to the second-to-last supported version so users have a realistic timeframe for updating

Antivirus:

• Microsoft Defender Antimalware active: Yes
• Real-time protection active: Yes
• Antimalware definitions current: Yes (no older than 3 days)

Password:

• Password required: Yes
• Minimum length: 8 characters (12 is better)
• Maximum inactivity before screen lock: 5 minutes

macOS Compliance Policy

Encryption:

• FileVault encryption required: Yes

Operating system version:

• Minimum OS version: macOS 14 Sonoma (or current major version minus 1)

Password:

• Password required: Yes
• Minimum length: 8 characters

System integrity:

• System Integrity Protection (SIP) active: Yes
• Firewall active: Yes

iOS Compliance Policy

Device health:

• Device not jailbroken: Yes
• Minimum OS version: iOS 17 (or current major version minus 1)

Password:

• Passcode required: Yes
• Minimum length: 6 characters
• Biometrics (Face ID / Touch ID) allowed: Yes

Android Compliance Policy

Device health:

• Device not rooted: Yes
• Google Play Integrity Check passed: Yes
• Minimum OS version: Android 13 (or current major version minus 2)

Password:

• Passcode required: Yes
• Minimum length: 6 characters
• Biometrics allowed: Yes

Grace Period and Actions for Non-Compliance

When a device is non-compliant, you should not immediately block access but configure a graduated response:

1. Immediately: Mark device as non-compliant (visible in the Intune portal and to the user in the Company Portal app)
2. After 1 day: Email notification to the user ("Your device does not meet the security requirements. Please update...")
3. After 3 days: Second notification to the user
4. After 7 days: Block access to corporate resources via Conditional Access
5. After 30 days (optional): Remote wipe of the device (only for company-owned devices)

This graduation gives users time to resolve the issue (e.g., install an operating system update) without immediately disrupting business operations.

Configuration Profiles: Distributing Settings Centrally

Configuration profiles automate the device configuration that would otherwise need to be done manually per device:

Wi-Fi Profile

Distribute the Wi-Fi configuration automatically, including SSID, security type, and certificate (for WPA2-Enterprise):

• Users connect automatically to the corporate Wi-Fi without manually entering the password
• When the Wi-Fi password changes, the new configuration is automatically distributed

VPN Profile

Configure VPN connections centrally:

• VPN type: IKEv2, Always On VPN, or Split Tunnel
• Per-App VPN: Only specific apps use the VPN connection (reduces load on the VPN gateway)
• Automatic connection: VPN connects automatically when specific resources are accessed

Email Profile

Configure Outlook or the native mail app automatically:

• Exchange Online server, username (from the Entra ID profile)
• S/MIME certificates for email encryption
• Prevents users from setting up their business email account in unmanaged mail apps

Device Restrictions

Set restrictions that enhance security:

Windows:

• Disable camera on lock screen
• Restrict USB storage devices (optional, depending on business requirements)
• Disable Cortana (privacy)
• Limit telemetry to "Required"

iOS:

• Restrict screenshots in managed apps
• Disable iCloud backup for corporate data
• Managed Open-In: Corporate files can only be opened in managed apps

Android:

• Restrict screenshots in the work profile
• Restrict copy/paste between work profile and personal profile
• Disable camera in work profile (optional)

Windows Update Management

Intune controls the installation of Windows updates:

Update Rings:

• Quality updates (security updates): Install automatically after 3–7 days (delay gives you time to identify problematic updates)
• Feature updates (major versions): Install automatically after 30–60 days
• Driver updates: Manually approve or install automatically

Maintenance windows:

• Install updates only outside business hours (e.g., 10:00 PM–6:00 AM)
• Automatic restart after update installation only during the maintenance window

App Deployment: Distributing Apps Centrally

Intune automatically distributes apps to managed devices. This eliminates the manual installation process and ensures all devices have the same app versions.

App Types in Intune

Microsoft 365 Apps: Intune distributes the Microsoft 365 Apps (Word, Excel, PowerPoint, Outlook, Teams) as a package. You define the included apps, the update channel, and the installation language.

Line-of-Business Apps: Industry-specific applications (.msi, .msix, .appx) can be uploaded directly to Intune and distributed. For more complex installations (e.g., EXE files with parameters), use Win32 app packages.

Microsoft Store Apps: Apps from the Microsoft Store (now including Win32 apps) can be assigned directly via Intune without managing the MSI/EXE package yourself.

Web Apps: Links to web applications (e.g., internal portals, SaaS applications) are distributed as shortcuts on the desktop or start menu.

App Assignment

• Required: The app is automatically installed on all assigned devices. The user cannot prevent installation.
• Available: The app is displayed in the Intune Company Portal and the user can install it on demand.
• Uninstall: The app is removed from all assigned devices.

Recommendation: Distribute the baseline suite (Office 365, browser, VPN client, security software) as "Required" and industry-specific or optional apps as "Available."

BYOD with App Protection Policies (MAM)

Bring Your Own Device is the biggest challenge for device management. A clear mobile device policy is the prerequisite for controlled BYOD. Employees want to use their personal smartphones and tablets for business email and documents, but they do not want IT to control their personal device. And from a data protection perspective, full device management on personal devices is indeed problematic.

App Protection Policies (MAM without Enrollment) offer a middle ground: you protect corporate data within managed apps without managing the device itself. The personal device is not enrolled in Intune; IT does not see private apps, photos, or location data.

How MAM Works

App Protection Policies create an encrypted container within managed apps (Outlook, Teams, OneDrive, Edge, etc.). Corporate data within this container is protected; personal data outside it is untouched.

Protection measures:

• Data transfer restriction: Corporate data cannot be copied into unmanaged apps (e.g., no copy/paste from a business email into WhatsApp)
• Encryption: Offline data within managed apps is encrypted
• PIN/Biometrics: Access to managed apps requires a separate PIN or biometric authentication
• Selective wipe: When an employee leaves, only corporate data is deleted from managed apps, not personal data
• Jailbreak/Root detection: Access to managed apps is blocked on compromised devices

Configuring MAM Policies

iOS App Protection Policy:

• Apps: Outlook, Teams, OneDrive, Edge, Office
• Data transfer: "Managed apps only" (corporate data only between managed apps)
• Encryption: Yes
• Access: PIN required (minimum 6 digits), biometrics allowed
• Offline access: Maximum 720 minutes (12 hours) without network connection
• Jailbreak: Block access
• Minimum OS version: iOS 17
• Selective wipe: After 90 days without check-in

Android App Protection Policy: Analogous configuration to iOS, plus:

• Screen capture: Block (prevents screenshots of corporate data)
• Backup: Exclude corporate data from Google Backup
• SafetyNet/Play Integrity: Required

Combining MAM and Conditional Access

The true strength of MAM emerges in combination with Conditional Access:

Conditional Access Policy for BYOD:

• Condition: Device is not marked as compliant (not Intune-managed)
• Condition: App = Office 365
• Grant: Require approved client app OR Require app protection policy

This policy allows access to Office 365 from unmanaged devices only when an approved app with an App Protection Policy is used. The user can open Outlook on their personal iPhone (because the App Protection Policy applies) but cannot access OWA via the Safari browser (because no App Protection Policy is active there).

Conditional Access Integration

The combination of Intune and Conditional Access closes the security loop:

For company-owned devices:

• Intune checks device compliance (OS version, encryption, antivirus)
• Conditional Access grants access only when the device is compliant
• Non-compliant devices are blocked until the issue is resolved

For BYOD devices:

• App Protection Policy protects corporate data in managed apps
• Conditional Access allows access only via managed apps with App Protection Policy
• Browser access is blocked or restricted to session controls

For unknown devices (e.g., hotel PC):

• Conditional Access blocks access or allows only restricted browser access
• Session Controls: No download, no printing, automatic timeout

Intune in the ISMS

Intune addresses multiple ISO 27001 controls:

A.8.1 (User endpoint devices):

• Device inventory via Intune
• Compliance policies as minimum requirements
• Encryption enforcement (BitLocker, FileVault)
• Remote wipe on loss or theft

A.7.9 (Security of assets and information outside business premises):

• VPN profiles for secure remote connections
• App Protection Policies for mobile devices
• Encryption of offline data
• Selective wipe on device loss

A.8.9 (Configuration management):

• Configuration profiles as a defined baseline
• Automatic distribution of security settings
• Deviation detection (device reports non-compliant when settings are changed)

A.8.8 (Management of technical vulnerabilities):

• Windows Update management via Update Rings
• Enforcement of minimum OS versions
• Integration with Defender for Endpoint TVM and patch management

A.6.2 (Terms and conditions of employment):

• Acceptable use policy for BYOD (what IT may and may not do)
• BYOD agreement (consent to MAM protection)
• Separation process: Selective wipe on departure

Documentation in the ISMS

For the ISMS, you need the following documentation. In ISMS Lite, compliance policies, configuration profiles, and BYOD agreements can be documented as TOMs and mapped to ISO 27001 controls:

Device management policy:

• Which devices are managed? (Company-owned, BYOD, both?)
• Which platforms are supported? (Windows, macOS, iOS, Android)
• Which enrollment method is used?
• What are the minimum compliance requirements per platform?
• Which configuration profiles are distributed?
• How are updates managed?

BYOD policy:

• Which BYOD scenarios are permitted?
• Which protection measures apply to BYOD? (MAM, Conditional Access)
• What data may the user process on their personal device?
• What happens on device loss? (Selective wipe)
• What happens on departure? (Selective wipe, deadline)
• User consent form

Processes:

• Enrollment process for new devices and new employees
• Process for device loss or theft
• Process for employee departure (return device / selective wipe)
• Process for non-compliance (escalation, deadlines)
• Regular review of compliance policies and configuration profiles

Step by Step: Deploying Intune in 4 Weeks

Week 1: Planning and Preparation

1. Check licensing: Microsoft 365 Business Premium includes Intune. Alternatively, Intune Plan 1 as a standalone license.
2. Define scope: Which devices should be managed? Which platforms? BYOD yes or no?
3. Define compliance requirements: What are the minimum requirements per platform?
4. Prepare communication: Inform employees about what Intune does and what IT can see (and what it cannot). Transparency builds acceptance.
5. Request Apple Push Notification Certificate (required for iOS management)
6. Set up Android Enterprise account (required for Android management)

Week 2: Configuration and Pilot Group

7. Create compliance policies (per platform)
8. Create configuration profiles (Wi-Fi, email, restrictions)
9. Create App Protection Policies (for BYOD)
10. Configure apps for distribution (Office 365, Company Portal, VPN client)
11. Create Conditional Access policies (Report-Only!)
12. Enroll pilot group (5–10 devices from the IT department)
13. Test pilot group: Evaluate compliance, configuration profiles, app installation, Conditional Access in Report-Only mode

Week 3: Gradual Rollout

14. Enroll first department (20–30 devices)
15. Collect feedback: Identify issues, adjust configuration
16. Switch Conditional Access from Report-Only to On (for pilot group and first department)
17. Enroll additional departments
18. Onboard BYOD devices with MAM (separate communication to affected employees)

Week 4: Completion and Documentation

19. Enroll all remaining devices
20. Activate Conditional Access for all users
21. Establish monitoring process (compliance dashboard, notifications)
22. Create ISMS documentation (device management policy, BYOD policy, processes)
23. Train IT team (Intune portal, troubleshooting, remote actions)

Monitoring and Operations

Dashboard and Reports

Intune offers a comprehensive reporting dashboard:

Compliance dashboard:

• Number of compliant and non-compliant devices (percentage and absolute)
• Non-compliant devices by reason (e.g., OS outdated, encryption missing)
• Trend over time (is the compliance rate improving?)

App status:

• Installation status per app (successful, failed, pending)
• App versions on devices

Windows Update status:

• Devices with pending updates
• Feature update compliance (percentage of devices on the target version)

Regular Tasks

Weekly:

• Review non-compliant devices and contact users
• Review failed app installations and resolve
• Process new devices and enrollment requests

Monthly:

• Prepare compliance statistics for the ISMS dashboard
• Review Windows Update status (are all devices at the current patch level?)
• Evaluate App Protection Policy reports (are there violations?)

Quarterly:

• Review compliance policies (update minimum OS version)
• Review configuration profiles for currency
• Review BYOD agreements
• Reconcile device inventory with HR data (departed employees whose devices are still active)

Frequently Asked Questions

Can IT see my personal photos? No. With MAM without Enrollment, IT has no access to the device and cannot see photos, apps, browsing history, or location. With MDM (full enrollment), IT can see the device type, OS version, installed apps, and compliance status—but no personal data such as photos or messages.

What happens when a device is lost? For company-owned devices: Remote Wipe (device is reset to factory settings). For BYOD with MAM: Selective Wipe (only corporate data is deleted; personal data is preserved).

Do I need Intune if I already have on-premises AD and SCCM? Intune can run as co-management alongside SCCM (now Microsoft Configuration Manager). Workloads can be gradually migrated from SCCM to Intune. For new devices, Intune-only (cloud-native management) is recommended; for existing devices with complex SCCM configurations, a gradual co-management approach is advisable.

Does Intune work without internet? Intune requires an internet connection for enrollment and regular compliance checks (check-in). Between check-ins, the device functions normally, even offline. The default check-in interval is 8 hours. If a device is offline for an extended period (e.g., on vacation), it is automatically updated on the next check-in.

Further Reading

• Securing Microsoft 365: The 15 Most Important Security Settings
• Conditional Access in Entra ID: Policies for Mid-Market Companies
• Microsoft Defender for Business: Is the Switch from Classic Antivirus Worth It?
• Mobile Device Policy and BYOD: Rules for Smartphones and Tablets
• Secure Remote Work and Home Office: Technical and Organizational Measures