intune

Windows Information Protection (WIP)

Microsoft Windows Information protection - “helps to protect against this potential data leakage without otherwise interfering with the employee experience. “

More of the time data leakage will be situations where hackers , ex or existing empoloyees or third parties try and extract company owned data for their benefit or resales value. Some examples of this could be a recruiter extracting all his customers to take to a new company, a employee extracting his worked on projects so he has a base to continue them on as a contractor.

Other cases could be totally by accident , where an employee copies a file to an Unencrypted USB stick and loses it , or emails it home to a personal email so they can work on it later.

Devices enrolled in windows InTune can have policies set to protect specific files and only allowed them to be opened in applications that support information protection , such as the Office suit or Adobe Products. You can then set granular permissions on what is allowed to be done with these files such as only print.

You can also make sure that documents are only opened on Enrolled devices to InTune which makes sure documents never leave the Company on purpose or by accident.

Price

If you have enrolled a device in Intune you should already have this as a license for free. It comes with the E3 mobility Security E3 License more price variables can be found here



Microsoft 365 InTune with Azure AD - Recommended Features

We have recently deployed Microsoft Intune in 365 for a customer and would like to share some great features of this product with you!

InTune is for device management being mobile phone, PC or Mac , you can control this from your 365 tenant and devices check in through an internet connection meaning no need to take the PC back to the office to deploy software or settings.

Deploy InTune with Azure AD

We recommend the minimum license you will need for this is Enterprise Mobility + Security E3 ( 6.60GBP / month/ user ) you can get Intune on its own as a seperate license , however you will want to setup auto enrollment so that users can join Laptops to Azure AD by themselves and it will deploy the needed apps and setting.

Windows Update Management

Enforce PC’s to update and have a global WSUS control panel in InTune to check the status of devices

Only allow Email on enrolled Mobile device

You can set security so only devices enrolled in InTune can receive emails. As you get Azure P1 License with the E3 Mobility License , this also enables you to get Azure Conditional Access which allows you to set these options

Deploying MSI are easier than Win32 Application Deployment

Hopefully most of your company apps will have MSI’s. These are very straight forward to deploy. If your app only has an .exe . then hopefully it has a silent installer. You can use the Win32 Packager to zip this up with the needed files for deployment. Tricky situations are when the .exe do not have silent .exe installation so you need to build an .msi from scratch using packaging software

Useful Items to configure with InTune

We really found no limitation thanks to powershell and Win32 Packager to what we could deploy. We replicated a whole standard Group Policy deployment and more

  • Rename PC using company name and serial or random number

  • Create a local admin for PC in case PC falls of Azure AD Domain

  • Enable Bitlocker

  • Deploy Signatures and ‘mail merge’ details from AD

  • Add Firewall Policies

  • Deploy Fonts

  • Deploy Outlook Settings

  • Deploy Printers with drivers

  • Deploy Drive Shares



Microsoft 365 Intune with EMS

If your organisation has Office 365 with Enterprise Mobility Suite (EMS), you’re probably already familiar with Intune, Microsoft’s solution for mobile device and application management.


ems.jpg

You can use EMS as a Single Sign on Solution to over 1200 Software as a Service Cloud Applications such and salesforce and box across devices and browsers

Active Directory Premium gives you full Active Directory into the cloud so you don't need local servers for management of Active Directory , see here for a full list of differences

Group membership can be requested by users to the groups Owner and this can be approved from the cloud

User Password resetting can be done in the cloud and automated to be self service to reduce the time for users to fix their issues and load on helpdesk staff

Intune is also your go-to solution for managing shared tablets in limited-use mode. With Intune, you can bulk provision, secure, and centrally manage shared tablets configured to run in limited-use mode.

 

This makes IT’s a job a lot easier: you don’t have to configure settings on individual tablets, and you don’t have to do anything differently than you would for devices not in limited-use mode. With Intune, your transactions, inventory, and other information are protected, no matter what your tablets are used for.