Describe the endpoint management capabilities of Microsoft 365
In today’s hybrid and remote workplace organizations are challenged with managing a variety of devices configured in different ways that need access to their resources. Your organization might have Android and iOS mobile phones, Windows and macOS PCs, and custom devices your employees bring to work. Employees need to collaborate and securely access and connect to these resources from anywhere. IT departments need to manage end user access and protect data all while supporting employees from wherever they work. Microsoft provides the tools and services to enable you to simplify the management of these devices through their endpoint management solutions.
Microsoft Intune is a family of products and services that offer a cloud-based unified endpoint management solution. The Intune family includes Microsoft Intune service, Configuration Manager, co-management, Endpoint Analytics, Windows Autopilot and Intune admin center. These solutions can help manage, protect and monitor all your organization's endpoints.
Note
Endpoints are physical devices, such as mobile devices, desktop computers, virtual machines, embedded devices, and servers that connect to and exchange information with a computer network.
These solutions support data protection on both company-owned and personal devices using non-intrusive app management. It champions a Zero Trust security model through data protection and endpoint compliance while enhancing IT efficiency and improving both admin and end user experiences in hybrid work settings.
Note
Zero Trust is a security model consisting of three guiding principles: Verify explicitly, use least privilege access, and assume breach. To learn more about Zero Trust, visit Zero Trust implementation guidance.
Let's explore how the Microsoft Intune family enables IT to configure and protect endpoints for better hybrid work experiences.
Microsoft Intune
Microsoft Intune is a cloud-based endpoint management solution that manages user access to organizational resources and simplifies app and device management across your many devices, including mobile devices, desktop computers, and virtual endpoints. Some of the key features and benefits of Intune include:
- Allows management of users and devices (both organizational and personal) across platforms like Android, AOSP, iOS/iPadOS, macOS, and Windows, enabling secure access to organization resources through user-defined policies.
- Intune streamlines app management, offering in-built deployment, updates, and removal capabilities, integration with private app stores, Microsoft 365 app support, Win32 app deployment, and tools for app protection policies and data access control.
- Intune automates policy deployment for apps, security, device configuration, compliance, conditional access and more.
- The Company Portal app provides self-service features for employees and students, such as PIN/password resets, app installations, and more.
- Intune partners with mobile threat defense tools, including Microsoft Defender for Endpoint and third-party services, to emphasize endpoint security, enabling policies for real-time threat response and automated remediation.
- Intune's web-based admin center emphasizes endpoint management and data-driven reporting, allowing admins to sign in from any device with internet access.
Configuration Manager
Configuration Manager is an on-premises management solution to manage desktops, Windows servers, and laptops that are on your network or internet-based. Configuration Manager boosts IT productivity by reducing manual tasks and letting you focus on high-value projects. Configuration Manager enhances IT services by securely deploying applications and updates at scale, facilitating real-time actions on devices, offering cloud-driven analytics for both on-site and online devices, managing compliance settings, and providing thorough oversight of servers and computers. Configuration Manager collaborates with numerous Microsoft technologies. You can cloud-attach your Configuration Manager environment allowing you to modernize and streamline your management solution.
Tip
If you need to manage a combination of both cloud and on-premises endpoints, you can use cloud attach to use both Intune and Configuration Manager. Cloud attach allows you to connect your on-premises Configuration Manager to the cloud without having to worry about disruption or risk. A Configuration Manager environment is considered cloud attached when it uses at least one of the three primary cloud attach features which consists of co-management, tenant attach, and Endpoint analytics. You can enable these three features in any order you wish, or all at once.
Co-management
Co-management is one of the primary ways to attach your existing Configuration Manager deployment to the Microsoft 365 cloud, enhancing capabilities like conditional access. It allows simultaneous management of Windows 10 or later devices through both Configuration Manager and Microsoft Intune, enhancing your Configuration Manager's functions. Devices with the Configuration Manager client enrolled in Intune benefit from both services. The authority to shift specific workloads from Configuration Manager to Intune is in your control, while Configuration Manager retains authority over other workloads.
Note
Conditional access allows organizations to implement policies that control and restrict access to their resources based on certain conditions and criteria.
Tenant-attach
Tenant attach allows your device records to be in the cloud, enabling you to act on these devices from a cloud console. It provides real-time data from Configuration Manager clients, including those online. It also lets you manage endpoint security for both Windows Servers and Client devices from the Intune admin center, including antivirus status and malware reports.
Endpoint Analytics
Endpoint Analytics is a cloud-native service that provides metrics and recommendations on the health and performance of your Windows client devices. Endpoint Analytics is part of the Microsoft Adoption Score. These analytics give you insights for measuring how your organization is working and the quality of the experience you're delivering to your users. Endpoint analytics can help identify policies or hardware issues that might be slowing down devices and help you proactively make improvements before end-users generate a help desk ticket. You can use Endpoint Analytics on devices that are managed with Intune or Configuration Manager connected to the cloud.
Windows Autopilot
Windows Autopilot is a cloud-native service that sets up and pre-configures new devices, getting them ready for use. You can also use Windows Autopilot to reset, repurpose, and recover devices. It's designed to simplify the lifecycle of Windows devices, for both IT and end-users, from initial deployment through end of life. You can use Autopilot to preconfigure devices, automatically join devices to Microsoft Entra ID (formally known as Azure Active Directory or Azure AD) or enroll devices in Intune, customize out of box experience and more. You can also integrate Autopilot with Configuration Manager and co-management for more device configurations.
Note
Microsoft Entra ID (formally known as Azure Active Directory or Azure AD) is is a cloud-native service that is used by Intune to manage the identities of users, devices, and groups. The Intune policies you create are assigned to these users, devices, and groups. When devices are enrolled in Intune, your users sign into their devices with their Microsoft Entra ID accounts. To learn more about Microsoft Entra ID, see Microsoft Entra ID documentation - Microsoft Entra | Microsoft Learn.
Intune admin center
The Intune admin center is a one-stop web site to add users and groups, create and manage policies, and monitor your policies using report data. If you use Configuration Manager tenant-attach or co-management, you can see your on-premises devices and run some actions on these devices.
Manage devices through the Intune admin center
Follow the interactive walkthrough to learn how to manage and protect mobile desktop applications through the Intune admin center.
To learn more about Microsoft Intune family of products and services, see Microsoft Intune Core Capabilities | Microsoft Security