Microsoft Intune is a comprehensive cloud-based solution for managing mobile devices, PCs, and applications across corporate and personal boundaries. Intune provides a range of features to help organizations secure and manage devices, protect their data, and enable productivity. In this article, we will explore the different terms and definitions associated with Microsoft Intune.
Admin permissions or Directory Roles define the administrative scope for users and the tasks they can manage. Types of administrators:
- Global Administrator accesses all administrative features in Intune. By default, the person who signs up for Intune becomes a Global admin. Global admins are the only admins who can assign other admin roles. You can have more than one global admin in your organization.
- Password Administrator resets passwords, manages service requests, and monitors service health.
- Service support administrator opens support requests with Microsoft and views the service dashboard and message center. They have “view only” permissions except for opening support tickets and reading them.
- Billing administrator makes purchases, manages subscriptions, manages support tickets, and monitors service health.
- User administrator resets passwords, monitors service health, adds and deletes user accounts, and manages service requests. The user management admin can’t delete a global admin, create other admin roles, or reset passwords for other admins.
- Intune Service administrator has all Intune Global administrator permissions except permission to create administrators with Directory Role options.
Android Device admin is the old management method of Android devices with limited functionality in application management requiring elevated administrative permissions in order to perform certain tasks. It has been deprecated since Android 9.0.
Android Enterprise is an initiative to enable the use of Android devices and apps in the workplace. The program offers APIs and other tools for developers to integrate support for Android into their enterprise mobility management (EMM) solutions.
App configuration policy is the settings that are supplied automatically when the app is configured on the end-users device, and end-users don’t need to take action. The configuration settings are unique for each app.
App logs is a file with reporting that includes a record of activities that generate a change in in the app.
App protection policy is the rule that ensures an organization’s data remains safe or contained in a managed app. A policy can be a rule that is enforced when the user attempts to access or move “corporate” data, or a set of actions that are prohibited or monitored when the user is inside the app.
App types in Microsoft Intune:
- Apps from the store (store apps) – applications that have been uploaded to either the Microsoft store, the iOS/iPadOS store, or the Android store are store apps. The provider of a store app maintains and provides updates to the app. You select the app in the store list and add it by using Intune as an available app for your users.
- Apps written in-house or as a custom app (line-of-business) – applications that are created in-house or as a custom app are line-of-business (LOB) apps. The functionality of this type of app has been created for one of the Intune supported platforms, such as Windows, iOS/iPadOS, macOS, or Android. Your organization creates and provides you with updates as a separate file. You provide updates of the app to users by adding and deploying the updates using Intune.
- Apps on the web (web link) are client-server applications. The server provides the web app, which includes the UI, content, and functionality. Additionally, modern web hosting platforms commonly offer security, load balancing, and other benefits. This type of app is separately maintained on the web. Note that Android does not support web apps.
- Apps from other Microsoft services – application that have been sourced from either Azure AD or Office Online. Azure AD Enterprise applications are registered and assigned via the Microsoft Endpoint Manager admin center. Office Online applications are assigned using the licensing controls available in the M365 Admin Center
Apple Automated Device Enrollment ADE lets you create and deploy policy “over the air” to iOS/iPadOS and macOS devices that are purchased and managed with ADE. The device is enrolled when users turn on the device for the first time and run Setup Assistant. This method supports iOS/iPadOS supervised mode, which enables a device to be configured with specific functionality.
Apple push certificate is required for Intune to manage iOS/iPadOS and macOS devices and enroll users’ devices via Company portal or Apple’s bulk enrollment methods (Device Enrollment Program, Apple School Manager, Apple Configurator).
Application deployment is the process of installing, configuring, and enabling a specific application or set of applications through Microsoft Endpoint Manager.
Assigned groups are used when you want to manually add specific users or devices to a static group.
Autopilot is used to set up and pre-configure new devices to get them ready for productive use. In other words, it allows your organization to take a device that is fresh out of the box (straight from OEM), and send that device to your user/employee for immediate use.
Auto-enrollment is triggered by a group policy created on your local AD and happens without any user interaction (possible for Windows 10/11 devices).
Azure Active Directory (AD) is Microsoft’s cloud-based identity and access management service, which is used by Endpoint Manager for identity of devices, users, groups, and multi-factor authentication (MFA).
Azure Active Directory PowerShell is a module IT Pros commonly use to manage their Azure Active Directory. The cmdlets in the Azure AD PowerShell module enable you to retrieve data from the directory, create new objects in the directory, update existing objects, remove objects, as well as configure the directory and its features.
Azure AD Connect is a tool for connecting on-premises identity infrastructure to Microsoft Azure AD. The wizard deploys and configures prerequisites and components required for the connection, including sync and sign on.
Bring-your-own-device BYOD is a policy that allows employees in the company to use their personally-owned mobile device (phones, tablets, and PCs) for work-related activities.
Bulk enrollment is joining a large number of new Windows devices to Azure AD and Intune with creating a provisioning package with the Windows Configuration Designer (WCD) app.
Prerequisites for bulk enrollment – Windows 10/11 and Windows automatic enrollment.
Canonical Name record (CNAME record) is a resource record in the Domain Name System (DNS) that redirects enrollment to Intune servers (an alias).
Company portal is the app that lets employees of the company securily access company’s resources:
- Corporate sources like Office, email, OneDrive
- Corporate resources with company-issued certificates
- business apps approved by the corporate IT department. Moreover, with Company portal it’s possible to:
- view and manage enrolled devices and wipe them if they get lost or stolen
- get help directly from the IT department
Compliance policy settings are tenant-wide settings that are like a built-in compliance policy that every device receives. Compliance policy settings set a baseline for how compliance policy works in your Intune environment, including whether devices that haven’t received any device compliance policies are compliant or noncompliant.
Conditional access at their simplest are if-then statements, if a user wants to access a resource, then they must complete an action; usually takes the form of multi-factor authentication.
Co-management enables you to concurrently manage Windows 10 or later devices by using both Configuration Manager and Microsoft Intune. It lets you cloud-attach your existing investment in Configuration Manager by adding new functionality.
Corporate-owned-device COD include phones, tablets, and PCs owned by the organization and distributed to the workforce.
Detection rules are parameters, that used to determine the presence of a Win32 App. The detection rules ensure that app installation only start if it’s not installed yet.
Device compliance policy is platform-specific rules you configure and deploy to groups of users or devices. These rules define requirements for devices, like minimum operating systems or the use of disk encryption. Devices must meet these rules to be considered compliant.
Device enrollment enables you to access your work or school’s internal resources (applications, Wi-Fi, and email) from your mobile device. Types of device enrollment: BYOD, COD, DEM, ADE, USB-SA, USB-Direct, Auto-enrollment, Autopilot, bulk enrollment, Android device admin, Android enterprise.
Device Enrollment Manager DEM is a special user account that’s used to enroll and manage multiple corporate-owned devices. Managers can install the Company Portal and enroll many user-less devices.
Dynamic groups (Requires Azure AD Premium) are used when you want to add users automatically or devices to user groups or device groups based on an rules you create. Dynamic group membership reduces the administrative overhead of adding and removing users.
Enterprise Mobility + Security (EMS) suite provides an identity-driven security solution that offers a holistic approach to the security challenges in this mobile-first, cloud-first era. There are 2 offerings available:
- Enterprise Mobility + Security E3 includes Azure Active Directory Premium P1, Microsoft Intune, Azure Information Protection P1, Microsoft Advanced Threat Analytics, Azure Rights Management (part of Azure Information Protection) and the Windows Server CAL rights
- Enterprise Mobility + Security E5 includes all the capabilities of Enterprise Mobility + Security E3 plus Azure Active Directory Premium (AADP) P2, Azure Information Protection P2, Microsoft Cloud App Security, Azure Active Directory [AD] Identity Protection (as a feature of AADP P2), Azure Advanced Threat Protection, Azure AD Privileged Identity Management (as a feature of AADP P2).
Group membership types:
- Assigned: Administrators manually assign users or devices to this group, and manually remove users or devices.
- Dynamic User: Administrators create membership rules to automatically add and remove members.
- Dynamic Device: Administrators create dynamic group rules to automatically add and remove devices.
- Security group defines who can access resources and are recommended for your groups in Intune. For example, you can create groups for users, such as All Charlotte employees or Remote workers. Or create groups for devices, such as All iOS/iPadOS devices or All Windows 10 student devices.
- Microsoft 365 group provides collaboration opportunities by giving members access to a shared mailbox, calendar, files, SharePoint site, and more. This option also lets you give people outside of your organization access to the group.
Intune compliance reports for updates:
- Windows update rings is a built-in report that’s ready by default a when devices that run Windows 10 and Windows 11 updates get installed.
- Later features updates use 2 built-in reports to gain a deep picture of update status and issues:
- Organizational report that provides an overall view of compliance for devices on a per-policy basis
- Operational report provides details on Alerts – errors, warnings, information, and recommendations – on a per-policy basis to help troubleshoot and optimize your devices
Intune discovered apps is a list of the detected apps on the Intune enrolled devices in your tenant.
Intune for Education is a cloud-based, mobile device management (MDM) service for schools. It helps your teachers and students stay productive on classroom devices, and keeps school data secure.
Intune for US Government is an application and mobile management platform designed to help ensure security, privacy and control, compliance, and transparency. It meets federal, state, and local US government needs with physical and logical network-isolated instances of Azure. These instances are dedicated to US government with all customer data, applications, and hardware residing in the continental United States.
Kiosk mode means that the device’s functionality has been restricted either to a single app or multiple apps.
Managed app is an app that has app protection policies applied to it, and can be managed by Intune.
- Intune Standalone – Cloud-only management, which you configure by using the Azure portal. Includes the full set of capabilities that Intune offers.
- Intune co-management – Integration of the Intune cloud solution with Configuration Manager for Windows 10 devices. You configure Intune by using the Configuration Manager console.
- Basic Mobility and Security for Microsoft 365 – If you have this configuration activated, you’ll see the MDM authority set to “Office 365”. If you want to start using Intune, you’ll need purchase Intune licenses.
- Basic Mobility and Security for Microsoft 365 coexistence – You can add Intune to your tenant if you’re already using Basic Mobility and Security for Microsoft 365 and set the management authority to either Intune or Basic Mobility and Security for Microsoft 365 for each user to dictate which service will be used to manage their MDM-enrolled devices.
Microsoft 365 (formerly known as Office 365) is a subscription-based evolution of Microsoft Office suite (Word, Excel, PowerPoint, Outlook etc.) but with additional features, like Teams, SharePoint OneDrive. With Microsoft 365, employees can collaborate and communicate wherever they are, with any device and at any time. Information can easily be shared via the cloud.
Microsoft 365 admin center is the web-based portal administrators use to manage business in the cloud by adding and removing users, changing licenses, and resetting passwords.
Microsoft Authenticator application is a two-factor authentication program that provides one-time access codes not only for Microsoft accounts and products, but other sites and products.
Microsoft Defender for Endpoint integrates with Intune to monitor and help protect devices. You set risk levels and determine what happens if devices exceed that level. When combined with conditional access, you can help prevent malicious activity in your organization.
Microsoft Endpoint Manager is an end-to-end solution that to helps deliver the modern workplace and modern management to keep data secure, in the cloud and on-premises. Endpoint Manager includes Microsoft Intune, Configuration Manager, Desktop Analytics, co-management, and Windows Autopilot.
Microsoft Endpoint Manager admin center is a one-stop web site to create policies and manage your devices. It plugs-in other key device management services, including groups, security, conditional access, and reporting. This admin center also shows devices managed by Configuration Manager and Intune.
Microsoft Intune is a 100% cloud-based mobile device management (MDM) and mobile application management (MAM) provider for your apps and devices.
Mobile Application Management (MAM) is an organizational practice and technology that allows companies to publish, push, configure, secure, monitor, and update mobile apps for all users within the company.
Mobile Device Management (MDM) is a process of monitoring, securing, and managing mobile devices in the enterprise network.
Multi-factor authentication (MFA) a security technology that requires multiple methods of authentication to gain access to a source. MFA works by requiring any two or more of the following verification methods:
- Something you know (typically a password or PIN).
- Something you have (a trusted device that isn’t easily duplicated, like a phone).
- Something you are (biometrics, like a fingerprint).
MFA is supported for iOS/iPadOS, macOS, Android, and Windows 8.1 or later devices.
Network boundary creates a list of sites that are trusted by your organization. This feature is used with Microsoft Defender Application Guard and Microsoft Edge to help protect your devices.
Operating system or OS is software installed on a computer’s hard drive that enables the computer hardware to communicate and operate with the computer software. Intune supported operating systems:
PowerShell is a cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration management framework.
Preference files on macOS devices include information about apps. For example, you can use preference files to control web browser settings, customize apps, and more.
Registry key is an organizational unit in the Windows registry, an internal database the computer uses to store configuration information.
Role-based access control (RBAC) helps you manage who has access to your organization’s resources and what they can do with those resources. By assigning roles to your Intune users, you can limit what they can see and change.
Retire action removes the device from Intune. It also removes managed app data, settings, and email profiles assigned by Intune. The user’s personal data stays on the device.
Shared device is a Windows device that doesn’t have a primary user but is shared between multiple users. It can be used in schools, where the devices are shared between multiple students and/ or teachers.
Sync action forces the device to immediately check in with Intune. When a device checks in, the device immediately receives any pending actions or policies that are assigned. This feature helps you validate and troubleshoot policies you’ve assigned, without waiting for the next scheduled check-in.
The settings catalogue lists the settings you can configure. It’s not template, or a logical grouping of settings:
- On Windows, there are thousands of settings available, including many settings not found in the templates. When you want a complete list of all the settings, use the settings catalogue to create your policy. If you want to use a logical grouping of settings, then continue to use the templates.
- On macOS, you can configure Microsoft Edge version 77 and newer using the settings catalogue. In your policy, you configure individual settings. It doesn’t require a preference file.
USB-Direct: For direct enrollment, the admin must enroll each device manually by creating an enrollment policy and exporting it to Apple Configurator. USB-connected, corporate-owned devices are enrolled directly and don’t require a wipe. Devices are managed as user-less devices. They’re not locked or supervised and can’t support Conditional Access, jailbreak detection, or mobile application management.
USB-SA: IT admins use Apple Configurator, through USB, to prepare each corporate-owned device manually for enrollment using Setup Assistant. The IT admin creates an enrollment profile and exports it to Apple Configurator. When users receive their devices, they’re then prompted to run Setup Assistant to enroll their device. This method supports iOS supervised mode, which in turn enables the following features: Locked enrollment, Kiosk mode and other advanced configurations and restrictions.
Virtual private networks (VPNs) give users secure remote access to your company network. Devices use a VPN connection profile to start a connection with your VPN server.
Windows Hello for Business is one of the two-factor authentication methods on devices, that replaces passwords with the biometric user credentials or PIN. Biometric authentication is based on facial recognition or fingerprint matching.
Windows Information Protection (WIP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps.
Wipe action is removing the device from Intune and restoring the device back to its factory default settings. Use this action before giving the device to a new user, or when the device is lost or stolen.
Zebra Mobility Extensions MX (applicable for Android devices) are the configurator profiles, that allows administrators to use and manage Zebra devices in Intune. You create StageNow profiles with your settings, and then use Intune to assign and deploy these profiles to your Zebra devices.
Zero Trust is a security strategy based on the principle, “Never trust, always verify.” In terms of endpoints, that means always verify all endpoints. That includes not only contractor, partner, and guest devices, but also apps and devices used by employees to access work data, regardless of device ownership.