Today’s blog post was written by Marty Diamond, Senior System Administrator at Sonoma Partners.
Here at Sonoma, we promote a highly mobile workforce. Like other businesses, this means distributing internal apps to phones and tablets not owned by the company. Many mobile device management solutions have risen to assist with this challenge. We’ve used a handful of these with varying degrees of success. Recently, we have been piloting Microsoft’s Intune system, a part of Microsoft’s Enterprise Mobility Suite. Intune is interesting as a significant portion of it is dedicated not just to device management and compliance but application management, which offers many benefits to us.
Before delving too far into it, I should say that while Intune is a very flexible platform for managing a fleet of mobile devices, Sonoma’s use case is almost entirely dedicated to application distribution and updating. We have few company-owned mobile devices that are used by our QA team, and thee have very few requirements placed on them. This makes Intune very appealing: we can use it to simplify management of our mobile applications and scale up if needed.
We began testing with a simple task: log into the management portal and add a device. Getting there is simple enough. Once you’ve started the trial and assigned a license, Intune becomes another administrative portal launched from your Office365 portal. You are greeted with a set of startup prompts to help you navigate the portal from creating a policy to setting up your “Company Portal” to get devices into management. Once this is complete, the dashboard begins to fill with data about any devices it is managing.
The first real step within Intune is to define a policy. This is where we ran into our first “gotcha.” While the wizard takes you through defining a policy and creating other policies, it does not mention anything about deploying those policies. Nor does it mention that, by default, the existing Default Security Policy is not deployed. Missing this deployment step freezes the whole process: no device can be added unless a default policy is deployed.
Once we got past that, we continued testing with device onboarding. This process is critical as the easier we can make it for our staff to access apps they need, the less IT overhead we need. This where Intune scores some more victories—as a part of Office365, it works with our existing SSO. We simply needed to grant users licenses. From there, they are free to download the Company Portal app and sign in. The device add process is similar to other MDM solutions. It will ask the user for permissions to perform the functions it needs (management certificates for iOS, device administrator for Android, etc).
Notice that the Company portal app allows for easy app discovery and management. As long as they meet deployment criteria, users can find easily find apps by category. They can also see what other devices they have enrolled and if those devices are compliant. Each licensed Intune user is entitled to up to 5 devices (admins can limit this further).
For us, the star of the show was in app deployment. The Apps section does exactly what we need it to: deploy apps and keep them updated on our schedule. The first step is to add an app. Much like policies, the process here is to add it and then deploy it.
The Add App function launches a ClickOnce application that allows you to upload an app directly to Intune, hosted an external link, or—for iOS only—managed from the App Store. This same application is used to manage existing deployments. From this ClickOnce application you can change what types of devices can run the app (in the case of iOS universal apps), rename the apps, and keep apps updated. This was critical for us. Once a user has downloaded an app from Intune, they will then always have the latest version of that app on their device. The same is true for any apps we require the install for. One note here is that apps deployed to device groups that are required installs can take several hours after being upload to be deployed. The same is true with app updates. This delay does not appear to exist for apps deployed to users that are requested through the company portal.
In a lot of respects, Intune has more in common with System Center than other established MDM products. For example, when you want to deploy an app to groups of devices, you only have the options to Install or Uninstall. You can only make an app available to people via the portal by deploying to a group of users. While not immediately clear, this methodology makes a lot of sense: you might have groups for tablets and phones but deploying a universal app to a user allows someone with an iPhone and an iPad to get the app as needed without the need for two separate deployments.
Some other notes to keep in mind when considering Intune:
- Intune supports direct connections to Exchange and SCCM. While we don’t employ these at Sonoma, leveraging them can give you more centralized control over devices.
- Intune is smart about app deployments. For example, f you deploy an APK file to the “All Mobile Devices” group and mark it a required install, it won’t try and deploy to iOS devices or Windows machines. Keep this in mind when deciding how best to deploy your various mobile applications.
- In our testing, sign-ins timed out very frequently, even in the Company Portal app (though the login itself is cached). This is a nice security measure but may cause confusion and you will want to communicate that to your users.