Earlier this week at Microsoft Ignite, Brad Anderson shared our journey to architect Microsoft Intune from the cloud and for the cloud, resulting in the world’s leading mobility service at true cloud scale. Driven by that innovation momentum, customers are using Microsoft Intune and System Center Configuration Manager (ConfigMgr) to manage over 150M devices worldwide. We are excited to announce the next phase of our innovation, focusing on new capabilities to simplify modern desktop management, to secure data across a variety of devices and platforms, and enhance the native user experience for protected apps on iOS and Android devices. There has never been a better time to partner with Microsoft 365 unified endpoint management to drive your digital transformation.
Intune tenants receive new features on a rolling basis every month. There are so many other innovations that we shared during the week but we could not cover everything here. Bookmark the What’s New in Intune documentation page for the most updated information on feature releases.
Connect what you have today to the cloud and get the best of both worlds
We heard from our customers that they love the ability to add Intune to their existing infrastructure and benefit immediately from the scale, reliability, and security of cloud. IT professionals can build on the strong foundation they already have with ConfigMgr, add the intelligence from the Microsoft Cloud, and get instant new value and capabilities. Customers are now ready to do even more in the cloud, so we continue to deliver more.
At Ignite, we announced several new capabilities:
- Windows (Win32) app deployment using Intune: Building upon the existing support for line-of-business (LOB) apps and Microsoft Store for Business apps, administrators can use Intune to deploy most of their organization’s existing applications to end users on Windows 10 devices. Administrators can add, install, and uninstall applications for Windows 10 users in a variety of formats such as MSIs, Setup.exe, or MSP. Intune will evaluate requirement rules before the start of app download/ install and notify end users of the status or reboot requirements using the Windows 10 Action Center. This will effectively unblock organizations interested in shifting this workload to Intune and the Cloud. The same team that perfected Windows app deployment via Configuration Manager has now built this into Intune. This feature is currently in public preview and we expect to add significant new capabilities over the next few months.
- Security baselines for Windows 10 in Intune: Windows administrators can now leverage the intelligence of the cloud in order to set security policies. We are pleased to publish a set of Microsoft recommended security baselines in the Intune service that leverage the greatly expanded manageability of Windows 10 using Mobile Device Management (MDM). These security baselines will be managed and updated directly from the cloud – providing customers the most recent and most advanced security settings and capabilities available from Microsoft 365. Intune partners with the same Windows security team that creates Group Policy security baselines to offer their extensive experience for guidance and recommendations. If you're brand new to Intune, and not sure where to start, then security baselines give you an advantage. You can quickly create and deploy a secure profile to help protect your organization's resources and data. If you're currently using Group Policy, migrating to Intune for management is much easier with these baselines natively built into Intune's modern management platform. You may choose to create security policies directly from these baselines and deploy them to users or customize the recommendations to meet the needs of your enterprise. Intune service will validate that devices follow these baselines, report on baseline compliance and notify administrators if any devices or users move out of compliance. The baselines will be published over the next few weeks.
- Configuration Manager Integration with Desktop Analytics: The new Desktop Analytics service, announced earlier this month, will provide insight and intelligence for you to make more informed decisions about the update readiness of your Windows and Office clients. You can then optimize pilot and production deployments with ConfigMgr. Combining data from your own organization with data aggregated from millions of devices connected to our cloud services, you can take the guess work out of testing and focus your attention on key blockers. ConfigMgr administrators can leverage data from Desktop Analytics in several ways, including enablement of an intelligent pilot selection which ensures coverage of apps, add-ins and hardware, as well as deep integration with Phased Deployments for a data driven production rollout of task sequences, updates and applications.
- Flexible management for Windows as a service: As previously announced, starting with the next major version of Windows 10 and Windows Server, there will be only one quality update type and it will be smaller in size. ConfigMgr supports this new packaging of quality updates that makes Windows updates simpler to manage and redistribute. Additionally, administrators who enable co-management and attach ConfigMgr to Intune can view the health status of ConfigMgr clients directly in the Intune console. We continue to invest in ConfigMgr and Intune to deliver the most flexible management experience for Microsoft 365 endpoints.
New Windows Autopilot capabilities and expanded partner support: We are excited to announce two new Windows Autopilot capabilities:
- Windows Autopilot Hybrid Azure AD join support for user-driven deployments. You can now choose to join devices to either Azure Active Directory (available since Windows 10, version 1703) or Active Directory (new in Windows 10, version 1809).
- Windows Autopilot for existing devices. Use Configuration Manager to take your existing devices from Windows 7 to Windows 10, configuring them so that they go through the normal Windows Autopilot user-driven deployment process once booted into Windows 10.
These new features will be available in Windows 10, version 1809 (also referred to as the Windows 10 October 2018 Update. Learn more details here
Secure your corporate apps and data, on any device
One of the most powerful things about Microsoft 365 is that only trusted users, using trusted apps, get access to corporate data. We keep compromised devices away from your data, thanks to conditional access verification based on device configuration and compliance policies set with Intune. We are pleased to announce significant enhancements to the core security capabilities:
- Public preview for Android Enterprise fully managed devices: Intune is proud to work closely with Google as one of the first partners to build a modern management experience using the new Android Management API. This is an architectural investment that brings value to customers by allowing Intune to deliver Android features more quickly than ever before. We are pleased to announce a public preview of full device management for Android Enterprise devices by the end of the year. With this new capability based on the new ‘cloud’ architecture, Intune will offer a complete suite of management features for BYOD and corporate-owned deployments on Android Enterprise, adding fully managed device support to the existing app protection, work profile and dedicated device capabilities. Administrators may choose the extent of management appropriate for different departments and users within the organization, from enabling protected apps on unmanaged personal devices (bring your own device or BYOD) to fully managing the mobile experience, including the applications, devices, and locally stored data. Our recommendation for customers is to start planning how to adopt one of these Android Enterprise management modes, starting with the BYOD use cases now and evaluate the preview in next few months.
- Machine risk-based conditional access with threat protection: If malware is detected on any device, it is important to block the compromised devices from accessing corporate resources before it spreads. Intune has integrated with leading mobile threat defense solutions across all major platforms to receive real-time machine-risk information and apply Azure Active Directory (AAD) conditional access policies. A compliance policy would be configured in Intune that defines an acceptable level of machine-risk for the organization. The device is marked non-compliant by Intune if machine-risk level reported by the threat protection solution is above the threshold. When the threat is mitigated, the risk condition changes, and conditional access may allow user to launch the corporate app. This integration is supported with Windows Defender ATP, as well as several security partners such as Lookout, Zimperium, Checkpoint, Symantec, Pradeo, Better Mobile, and Google Play Protect.
- Support for more third-party certification authorities (CA) in Microsoft Intune. These CAs can deliver certificates to mobile devices using the Simple Certificate Enrollment Protocol (SCEP). This feature can issue new certificates and renew certificates on Windows, iOS, Android, and macOS devices. Entrust Datacard is already supported, and other partners will be coming on board in the next few months, including Comodo CA, GlobalSign, Digicert, CGI and Idnomic.
Empower users and administrators to be more productive
We are announcing new capabilities to help you secure sensitive information while making it easier to manage and deploy productivity apps with Intune.
- Enterprise scenarios come to Microsoft Edge for iOS and Android: We are excited to share the strides Microsoft Edge has made to be the best browser for both consumers and enterprises alike. Integrated browsing experience between mobile devices and Windows desktop is already available for enterprise customers. Intune management for Microsoft Edge is another significant step in providing secure yet familiar browsing environment for mobile users. The following Microsoft Edge enterprise features enabled by Intune policies are now in public preview:
- Dual-Identity - Users can add both work account as well as personal account for browsing, but with complete separation between the two sessions. Intune administrators will be able to set the desired policies for a protected browsing experience within the work account.
- Intune app protection policy integration - Administrators can now target app protection policies to Microsoft Edge, including the control of cut, copy, and paste, preventing screen captures, and ensuring that user-selected links open only in other managed apps.
- Azure Application Proxy integration - Administrators can control access to SaaS apps and web apps, helping ensure browser-based apps only run in the secure Microsoft Edge browser whether end users connect from the corporate network or the Internet.
- Managed Favorites and Home Page shortcuts - For ease of access, admins can set URLs to appear under favorites when end users are in their corporate context. They can set a homepage shortcut, which will show as the primary shortcut when the corporate user opens a new page or tab in Microsoft Edge.
- Deeper integration with Outlook mobile controls: Outlook for iOS and Android is now used on over 100M devices. Deeper configuration integration with Intune will help customers scale their deployments, enable faster account setup in Outlook mobile and simplify how administrators support and manage their users’ experiences. In the coming months, Intune administrators will be able to push specific Outlook mobile app configuration settings to their users right from within the new Intune console page for Outlook mobile, including the on/off state for syncing or saving contacts, Focused Inbox, touch ID, ability to block external images, and MailTips. Additionally, similar to our announcement early this year for Exchange on premises, administrators will soon be able to use mobile device management capabilities to send Outlook mobile setup configuration information to Office 365 modern authentication enabled accounts. Check out the Outlook mobile blog for more details on the new features and availability.
- Microsoft 365 Device Management: One of the promises of Microsoft 365 is simplified administration, and over the years we’ve integrated the back-end Microsoft 365 services to deliver end-to-end scenarios such as Intune and AAD conditional access. The new Microsoft 365 administration center is the place to consolidate, simplify, and integrate the admin experience. The specialist workspace for Device Management provides easy access to all of the device and app management information and tasks that your organization needs. We expect this to become the primary cloud workspace for enterprise end user computing teams. Try out devicemanagement.microsoft.com today!
- Enhanced controls for distributed IT: For customers with large distributed IT departments, Intune now provides the ability to set scope tags for individual policies, profiles and devices. Scope tags ensure that each division/ region/ department/ school/ agency/ etc. only has visibility into their respective profiles, policies or devices. This level of administrative control is imperative when IT departments have local autonomy, yet are part of a larger, single tenant. Scope tags are flexible and allow you to name each tag according to your business model and fit right in with your existing Intune Roles. Scope tags extend standard role assignments using standard administrative security groups as well as existing targeting controls. They now include policies, profiles and devices to support this distributed-roles model. This feature is available to all tenants since the 1808 release.
- Intuitive and native end-user experiences: A guiding principle for Microsoft 365 is an obsessive focus on improving the end-user experiences. On iOS endpoints, we will be introducing custom company branding in the company portal. Both the company portal and website were redesigned earlier this year for a modern experience, to display friendly messages and a guided enrolment experience for end users. Next quarter, administrators will be able to set customized notifications, specify wallpaper options, and restrict the ability to perform certain actions on personal devices, such as factory reset. One of the powerful enablers for mobile productivity is a centralized app provisioning and management experience. Intune supports Apple’s Volume Purchase Program (VPP) and Device Enrolment program (DEP) on both macOS and iOS, as well as the managed Google Play store and zero-touch enrollment (ZTE) on Android Enterprise. Several changes are being made under the hood on all platforms, and the overall user experience is greater than the sum of its parts. Sign up for a free trial and try the new Intune experience yourself.
Visit the new home for Microsoft Enterprise Mobility + Security blogs and join the Tech Community if you haven’t signed up already. Here are some other resources where you can learn more:
View Microsoft Ignite sessions here
What’s New in Intune – Product Documentation
Follow @MSIntune on Twitter