Know Your - Intune Mobile Device Management options

In this short-format blog post and to kick-start the new "Know Your" series, we'll be taking a high-level look into the available Intune management options for mobile devices, specifically focusing on Android and iOS/iPadOS endpoints.

The following depicts a best practices approach to mobile device management using Intune.

Sure, there are scenarios where diverting from best practices may make sense, at least for an interim period. For example, deploying unmanaged Application Protection Policies to devices that are corporately owned but just not managed yet, to at least deliver an element of management and protection until full enrolment can be performed. Or, using manual & unsupervised methods of enrolment for Apple Devices that are not yet registered within Apple Business/School Manager, and thus cannot support Supervised Automatic Device Enrolment. 

Although best practices are always recommended, where not immediately feasible, I'm a firm believer that "some" level of protection is always better than none. Just be careful not to fall into the trap of relying on this methodology long-term & watch out for any duplication of effort!

Corporate Device Enrolment

Devices must be factory reset at the point of enrolment, at which time, they can then be onboarded (and consequently enrolled) into Intune during the out-of-box-experience (OOBE) which is facilitated by Automatic Device Enrolment (ADE) facilitators such as Google Zero Touch and Apple Business/School Manager, assuming the devices have been registered to such services. Once powered on and connected, registered devices then download their targeted deployment profile, which in this case, would be the appropriate Intune deployments.

An added benefit is that in the event of a lost or stolen handset, the device will indefinitely be locked to said deployment profile and will consequently attempt to re-enrol upon every factory reset, thus becoming useless to any undesirable recipient, whilst also informing them that the device belongs to an organisation.

Android also supports another mechanism of corporate device enrolment in the absence of an ADE platform, where QR codes can be retrieved from Intune and then issued to end-users or administrators to scan during the OOBE workflow on the handset, which then triggers the enrolment process.

Android

📱Android Fully Managed = Devices are owned by the organisation, are affiliated with one single user, and are intended for corporate activities only. Devices can be managed to their fullest extent, in line with what Intune supports. This is the recommended form of end-user Android enrolment for corporate devices where only one single user accesses the device.

📱Android Dedicated Device = Devices are owned by the organisation, are not affiliated with any single user, and are intended for corporate activities only such as kiosk-style deployments or shared-device deployments. Devices can be managed to their fullest extent, in line with what Intune supports. This enrolment method comes in two flavours; Standard Dedicated Device mode and Entra ID Shared Dedicated Device mode. The prior is designed for non-user-specific data, and the latter enables multiple users to sign in and out of managed devices via their Microsoft 365 identities, which in turn will also sign them in & out of any supporting applications - A great option for frontline and shift workers.

📱Android Corporate Owned Work Profile = Devices are owned by the organisation, are affiliated with one single user, and are intended for both corporate and personal use. Corporate and Personal data is kept separate, guaranteeing the necessary levels of privacy for personal data, whilst ensuring that the device is managed from an organisational perspective.

📱Android Open Source Project = Devices are owned by the organisation and are considered specialist or purpose-built devices, such as AR/VR headsets or Meeting Room Devices. This enrolment method comes with two options; User-associated and Userless, the choice of which will depend on the device's use case.

iOS / iPadOS

📱User ADE (Supervised) = Devices are owned by the organisation, are affiliated with one single user, and are intended for corporate activities only. This enrolment method ensures that the device becomes "supervised", which means it can support all device-wide management and configuration capabilities that Intune has to offer. This is the recommended form of end-user iOS/iPadOS enrolment for corporate devices where only one single user accesses the device.

📱Shared ADE (Supervised) = Devices are owned by the organisation, are not affiliated with any single user, and are intended for corporate activities only such as kiosk-style deployments or shared-device deployments. This enrolment method ensures that the device becomes "supervised", which means it can support all device-wide management and configuration capabilities that Intune has to offer. Shared Device mode comes in two flavours; Shared iPads and Shared Device mode. The prior supports only iPadOS and partitions a pre-defined number of user partitions on the device, ensuring each user's data is segregated. If the ADE facilitator has been federated with Entra ID, users can use their Microsoft 365 identities to sign in. The latter supports iOS & iPadOS and enables multiple users to sign in and out of managed devices via their Microsoft 365 identities, which in turn will also sign them in & out of any supporting applications automatically via SSO, preparing the device for the next user - A great option for frontline and shift workers.

📱Apple Configurator (Supervised) = ADE is generally recommended over Apple Configurator, thus has been omitted from the illustration, as it does not offer a seamless Automatic OOBE deployment method. Devices are owned by the organisation and are intended for corporate activities only. This enrolment method requires that you connect each handset to a MacOS computer that has Apple Configurator installed & integrated with Intune. This method should only be considered when ADE is not available in your region.

Personal Device Enrolment

Personal Device enrolment does not require that the handset is factory reset to facilitate enrolment, and instead, requires that the user simply downloads the Intune Company Portal application, authenticates against it, and then follows the on-screen instructions to complete the enrolment flow. It's also worth noting that iOS/iPadOS endpoints also support web-based or account-driven enrolment, where the company portal application does not even need to be downloaded.

Android

📱Android Personally Owned Work Profile (aka. Android for Work) = Devices are owned by the end-user, and are primarily intended for personal use but also corporate use via a Bring Your Own Device (BYOD) support model. Upon enrolment, a work container is established on the device which is kept completely separate from the rest of the handset. This dedicated work container is managed by Intune, leaving the remainder of the device unmanaged and private to the end-user, which is therefore safe from actions such as remote wipes and restrictive configuration deployments.

iOS / iPadOS

📱Manual User Enrolment (Unsupervised) = Devices are owned by the end-user, and are primarily intended for personal use but also corporate use via a Bring Your Own Device (BYOD) support model. Upon enrolment, somewhat similar to Android POWP, the mechanism configures the handset to store corporate data on a separate volume and within managed applications only, separate from any personal data, ensuring privacy. Devices are enrolled in an unsupervised state and due to the nature of the enrolment type, only permit limited, but still useful, configuration options within Intune.

📱Manual Device Enrolment (Unsupervised) = Devices are owned by the end-user, and are primarily intended for personal use but also corporate use via a Bring Your Own Device (BYOD) support model. Upon enrolment, the device is fully enrolled into Intune, but in an unsupervised state. Unsupervised devices can still be managed and protected by Intune to a considerable extent, however, certain limitations do exist when compared to supervised mode, but not as many as Manual User Enrolment.

Application Protection Policies

Application Protection Policies focus on managing and protecting applications, specifically those that have been defined within the policies themselves, and only in the context of corporate data. No device management capabilities are offered as device enrolment is not required, however, comprehensive controls around organisational data within "managed" applications can still be enforced. These capabilities include the ability to remotely wipe corporate data from both enrolled and non-enrolled devices, as well as the ability to control the flow of corporate data between managed and unmanaged applications, including how users can interact with it.

📱Personal (Unmanaged) Devices = Devices are owned by the end-user, and are primarily intended for personal use but also corporate use via a Bring Your Own Device (BYOD) support model. However, the devices cannot (or should not) be enrolled into Intune. Instead, unmanaged Application Protection Policies are deployed to end-users to offer a level of protection when corporate data is being accessed from an in-scope and managed application, such as Outlook, OneDrive, and Teams.

📱Corporate (Managed) Devices = Devices are owned by the organisation, and are enrolled into and managed by Intune. In this case, managed Application Protection Policies are deployed to end-users to provide an additional layer of protection by introducing increased security measures to control how corporate data can be accessed and interacted with inside in-scope and managed applications.