Organizations are continuing to experience an increasing number of devices and cloud services that are being used by their employees. While this allows people to achieve more at work, it also requires IT to enable and support new and more complex scenarios with the same budget and resources. Organizations are looking for a solution that allows them to manage their users, various device platforms, and different types of apps using an integrated, modern platform. We are excited to announce new features in Microsoft Intune to expand its unified endpoint management (UEM) capabilities. These improvements include conditional access enhancements across all platforms, integration with Jamf for macOS device compliance, a new co-management capability with System Center Configuration Manager (ConfigMgr) for modern Windows 10 management, and more.
Microsoft 365 is designed to enable a modern workplace for employees and a new approach for IT to simplify management, improve security, and lower costs. You can read more about this new approach in Brad Anderson’s Microsoft 365 powered device blog post and our latest Mechanics video.
One of the key elements of Microsoft 365 powered device is the ability to modernize the deployment and management of Windows 10 and Office 365 ProPlus. We have been regularly adding new modern management features in Intune since the release of Windows 10. Some of recent improvements include the ability to deploy Office 365 ProPlus, BitLocker management, integration with Windows Update for Business, and more. We are also working on new features including the ability to run PowerShell scripts on Windows 10 devices using Intune Management Extension, new Windows 10 MDM settings, and enhanced support for Windows AutoPilot, Windows Defender ATP, Windows Store for Business, and Surface Hub.
While there are many benefits of modern management, most organizations are still using an on-premises Windows Server Active Directory (AD) and System Center Configuration Manager (ConfigMgr) to manage their Windows devices. Based on conversations with our customers, we heard that until now, it wasn’t always easy to move to modern management. Some customer scenarios require the ConfigMgr agent, and there are also Windows 7 devices that need to be managed. Customers also use deeply integrated partner or homegrown solutions for ConfigMgr, and not to mention the complexity of planning and switching from traditional to modern management with existing IT systems, organizational structures, and processes. Many organizations were looking for a more simplified and manageable way to transition from ConfigMgr and AD to a modern management approach with Intune and Azure AD. We are excited to make this possible with a new feature of ConfigMgr and Intune called co-management.
Co-management delivers a bridge that simplifies planning and reduces the risks as organizations transition the management of Windows 10 devices to cloud-based Intune and Azure AD. Co-management helps to streamline the journey to modern management in a controlled and iterative way. This allows IT to modernize some workloads of Windows 10 management (e.g. device compliance assessment for conditional access) while maintaining ConfigMgr for other workloads (e.g. Win32 app distribution) based on your needs and at your own pace with the end goal to fully transition to modern management.
Starting with the Anniversary Update (June 2016), a Windows 10 device can be joined to on-premises Active Directory (AD) and cloud-based Azure AD at the same time. Co-management takes advantage of this improvement and enables the device to be managed by both ConfigMgr agent and Intune MDM. This allows organizations to move parts or workloads of their management to the cloud – making the move in manageable chunks. For example, customers can transition device compliance check, resource access profile deployment, or Windows 10 update management from ConfigMgr to Intune while continuing to use ConfigMgr for other workloads such as software distribution and deep device security configuration. Overtime, it will be possible to transition more workloads through co-management.
Another common use case is the ability to modernize OS deployment where a traditional imaging process can be replaced with Windows AutoPilot integrated with Intune and Azure AD while the rest of provisioning and management is done through ConfigMgr.
You will be able to learn more about these improvements in the recordings of our Ignite sessions (search for BRK3057, BRK3075, BRK3076, and BRK2079 on https://myignite.microsoft.com/videos after Ignite ends) as well as test it out in your lab in the upcoming ConfigMgr Technical Preview Branch release (version 1709). We are planning to make co-management generally available with the 1710 release of ConfigMgr Current Branch later this year.
Integration with Jamf for macOS device compliance
As a unified endpoint management (UEM) solution, we are always looking for ways to extend our platform through our partners to satisfy the unique needs of our customers. Today, we are excited to announce our integration with Jamf, a well-known solution for managing the Apple ecosystem. Jamf will integrate with Intune’s device compliance engine to provide an automated compliance management solution for macOS devices accessing applications connected with Azure AD authentication.
Jamf will send macOS device state information to Intune which will then evaluate it for compliance with the policies defined in the Intune console. Based on the device compliance state as well as other conditions (such as location, user risk, etc), Conditional Access will allow, block, or enforce MFA for macOS devices accessing cloud and on-premises applications connected with Azure AD, including Office 365.
This integrated solution will be available in late 2017. For more information tune into the Jamf Nation User Conference Keynote livestream on Wednesday, October 25: https://www.jamf.com/events/jamf-nation-user-conference/2017/.
The next wave of conditional access
In June, we announced the general availability of the new conditional access admin experience in the Azure portal. This powerful, simplified new experience makes it easy to manage policies that bring together services across EMS, including Azure AD Premium, Microsoft Intune, and combines it with the insight from the Microsoft Intelligent Security Graph, which scans billions of signals to determine user risk levels.
Today, Microsoft announced a whole new wave of scenarios that expand our conditional access capabilities, including integration across EMS’ Azure Information Protection and Microsoft Cloud App Security services, as well as additional scenarios that leverage Intune’s core MAM and MDM capabilities.
You can read about this next wave of conditional access capabilities in this post from Alex Simons that was published earlier today.
In case you missed it
As always, the last couple of months have been busy with the release of several product updates and new features. Here is a recap of some of these releases that we’re getting a positive customer feedback on.
- iOS 11 and Android O support: In recent weeks, both Google and Apple announced updates to their operating systems. As you plan for both updates within your organizations, you can have the confidence that all existing Intune capabilities will continue to work as expected when users upgrade.
- Enhanced macOS support: Over the last month, we added several improvements to our macOS management capabilities, including conditional access support and a new Company Portal for end users.
- Intune Data Warehouse: The new Intune Data Warehouse takes our reporting capabilities a step further, giving you more powerful custom reporting around your environment over time. With a dataset spanning up to 90 days of historical data, you can connect the Intune Data Warehouse to Power BI, Excel or another analytics tool that supports OData feeds to view historical trends, get daily snapshots, and create other custom reports across multiple tables.
- Mobile Threat Defense ecosystem: This past year, we’ve introduced integration with several leading Mobile Threat Defense (MTD) solutions, including Lookout, Skycure, and Check Point. This month, we’re excited to introduce our latest integration with Zimperium. This integration helps organizations defend against both known and unknown mobile threats and ensure that devices are risk-free and secure before users access corporate resources.
We are excited for you to try these new improvements! Please keep sending us your feedback.