FAQ ME! Microsoft Intune Jump Start FAQ!

Last week I ran the Microsoft Intune Core Skills Jump Start and as promised multiple times during the event here’s the questions, and the answers to those questions, that folks on the Jump Start asked:

Q: Do we have option to have Intune in [my / the] customer[‘s] DC than on Cloud?

A: No, Microsoft Intune has been architected from the ground up to run at scales in the Microsoft Cloud and on Microsoft Azure. We did this in part because it means you get fantastic levels of scale, without the need for everything to come back to on-prem infrastructure. As the number of devices users have grows, your ability to manage those devices shouldn’t be constrained by an inability to grow the management infrastructure.

Q: Can Intune integrate with SCCM?

A: Absolutely! It’s designed that way, there’s documentation here on how to connect SCCM to Microsoft Intune.

Q: What is the unique feature that Intune has to coexist with SCCM for an organization that already have SCCM 2012?

A: Microsoft Intune when connected to Configuration Manager 2012 makes it possible to manage mobile devices via Microsoft Intune from SCCM. You can see a full list of features on Microsoft TechNet, check out the “Which Configuration is for Me?” section.

Q: Does Intune have capability of Digital Rights Management or Which DRM solution it can integrate with?

A: Azure RMS is part of the Enterprise Mobility Suite and can be used to protect your data

Q: Intune can work through Azure but is it possible to have a ADFS, ADFS Proxy and [Microsoft] Federated Identity manager?

A: Yes, it is fully supported. This would enable you to have authentication for Azure AD flow through the on-premises AD FS infrastructure.

Q: Is it possible to clarify on what is happening in the background when a mobile device is enrolled to Intune?

A: When the device is enrolled into Intune, three things happen primarily. First the device is configured to trust Microsoft Intune as an MDM authority (iOS, Windows) or device administrator (Android). Second the device and its information is added to Microsoft Intune and also to Azure AD as a device object tracking to the user who enrolled the device. Thirdly the device requests policy from Microsoft Intune.

The actual blow by blow process varies per device.

Q: Can Intune stand-alone and Intune/SCCM live together side by side?

A: Not really. You could setup two tenants, have one configured in Hybrid and the other in standalone. You’d then need to think about where users are coming from. You could create cloud only users for the stand alone tenant and deal with them individually. You could also sync a specific set of users with a different User Principle Name (UPN) Suffix to your standalone tenant and users with another UPN suffix to the Hybrid tenant. I’m not really sure what the use case would be here though?

Q: Can I migrate from Standard to Hybrid?

A: Not on your own. You’ll need to call support and we need to clear data from the standalone tenant before migration to hybrid.

Q: Can we use office 365 MDM and Intune on the same tenant

A: That is the intent but at time of writing it’s not possible. There is a need to manually set the MDM authority which is something that Microsoft must do for you.

Q: Is Conditional Access for Exchange on-premises with SCCM/Intune is already available?

A: Conditional Access for Exchange on-premises is currently only available with Microsoft Intune stand alone.

Q: Do we need the exchange connector for conditional access to Exchange on-premises?

A: Yes

Q: Is Apple iPad supported by Intune standalone?

A: Yes

Q: If you sync your on “on-prem” accounts with Intune and you already had some existing Office 365 user accounts that are cloud-only. Will this create an issue?

A: No. If you already have Azure D Sync/AFDS in place you can just use the same. Nothing to configure. Just make sure that you create the Intune Account using the same account as you use for Office 365.

Q: What can I do, when a phone is lost with corp data, and phone does not have an internet and mobile connection?

A: You can’t do anything. It’s like having the phone turned off. But you can wipe the device, and when/if the device is online, it will be wiped.

Q: Does the Intune client include Endpoint protection, or is that only with SCCM?

A: That’s available in both scenarios.

Q: Can I manage all or at least most aspects of Intune through SCCM or are some management features split between SCCM and the Intune portal?

A: Today there are some limitations. But check this article out for what can be managed where.

Q: Is Conditional Access available in O365 MDM?

A: Yes, MDM in Office 365 include the ability to manage conditional access to Exchange Online and SharePoint online.

Q: If I do a change in the policy is that pushed out our does the users need to reenroll the devices. For example if I decides to change the demand of password?

A: No, they will just be asked to change the password to be compliant. However some policies could lead to tattooing, for example if you set an assigned access policy on Windows and delete the policy from Intune then there is nothing to re-enable the apps that are outside of the Assigned Access policy.

OR to put it another way: If you set a policy to push a “1” to a device and the device is currently set to “0” the policy will set the device to “1”, deleting the policy won’t make the device automatically revert since it needs something to overwrite the policy.

At its core OMA-DM can do 3 things on a device, Get, Set and Execute.

Q: With the emphasis on BYOD and mobile devices, should we anticipate treating desktops as just another flavor of a BYOD scenario?

Possibly but probably not with desktops. There will be a class of devices that will be BYO, a class that will be Company Owned and a class that will be task worker based. Those last two categories are probably going to require deeper management than BYO. Of course you will need to be able to manage the mix.

Q: If I add a setting that only works on iOS and Windows Phone, what will happen if an Android user tried to enroll?

A: The agent won’t know what to do with the setting so it will ignore the setting on that type of device.

Q: Where can we find a manageable list of the Windows CSPs? Not an exhaustive List!

A: This is the exhaustive list for Windows 10 (that is still subject to change).

 

Tags: ,,

3 Comments

  1. Pingback: Azure RemoteApp Questions Answered - Enterprise Devices + Infrastructure

  2. Hi.. would you recommend using Intune Standalone or SCCM integrated? I take it that there are currently some limitations when using Intune SCCM integrated. Conditional Access for Exchange does really not work via SCCM? Thanks

    • Both can do some things that the other can’t do today. Take a look at the feature comparison and decide based on the features you need…it’s like choosing a spanner or a ratcheted-spanner, both do the job, sometimes one is more appropriate than the other.

What do you think?