Windows Intune 3.0: Preview

Windows Intune 3.0: Preview

Summary: Version 3.0 of Microsoft's cloud-hosted management platform is now available, adding support for mobile devices — including iPhones, iPads and Android.

SHARE:
3

Microsoft's cloud-based management platform Windows Intune is just over a year old, and the third version has just been released. As before, Intune 3.0 gives you a single place to manage computers and mobile devices, with the tools you'd expect to find in a more traditional device and software management environment. Microsoft provided us with access to a preconfigured Intune system — the same one it used to manage the test labs at its TechEd conferences.

If you've used any of the earlier versions of Intune you'll find the new release familiar, with the same Silverlight-driven user interface. The Intune 3.0 management portal looks much the same as previous releases, making it easy to get started — and to handle migrations from older versions. The most obvious change is that it's easier to see and respond to an alert, and to work with multiple alerts at once. It's also easier to sort and filter alerts, which helps when a group of administrators are working with Intune.

Windows Intune 3
Intune's Administration view lets you check your account status — including the number of seats in use, and how much cloud storage you've used for application packages.

AD in the cloud
One of the biggest changes in Intune 3.0 is the way it manages user accounts. Like Office 365, Windows Intune now uses the Azure Active Directory, which means that you can now synchronise user accounts with an on-premises Active Directory using Active Directory Federation Services. That's a big change, as it lets you use the same groups and policies that you have on-premises with your cloud-managed users and devices. Instead of reserving Intune for unmanaged users, and for road warriors, you can now use it as the sole management platform for a medium-sized organisation, as an alternative to System Center or any other management platform.

Windows Intune 3
As well as sorting devices by location or type, you can use Active Directory groups to apply role-based rules. That way you can put in place policies for engineers, for marketing and for executives, and have them automatically applied as new users are added to each group.

That change also means a new sign-on service for admins, moving away from the consumer Windows Live ID to using the same sign-on tools as the rest of the Microsoft Online platform. This means you can use the same administrator account for Office 365 and Intune. If you've synchronised cloud and on-premises Active Directories, your users will be able to use the same password to connect to Intune as to the rest of the network.

Mobile devices: more than Windows
Intune can also now manage mobile devices, so long as they work with Microsoft's Exchange ActiveSync protocol. That means you'll be able to use Intune to manage Windows Phone (7.0 or later), as well as devices running both Android (2.1 or later) and iOS (4.0 or later). Intune 3.0 lets you set device access policies that let you enforce whether mobile devices can access network resources, or use common services, controlling access to mail. Simple rules mean that if a device is unable to support any policies, it can be blocked from access.

Windows Intune 3
Intune treats mobile devices as first-class citizens, with a similar set of views to desktop and laptop PCs. You can quickly see issues, as well as if you've made any exceptions to policies — for example granting email access to non-compliant devices.

It's also possible to override the rules — so you can allow the CEO's iPhone get email, for example, or let the marketing team use iPads. If devices are already connecting to Exchange, they'll automatically be added to your device inventory, so you won't have to go out and add management agents to devices that are already using your network. Instead, EAS handles policy deployment for you, simplifying working with users' own devices.

Policies and portals
Desktops and laptops remain at the heart of Intune, and the Intune management agent lets you push group policies to managed devices, as well as managing the bundled anti-malware tools (based on the Forefront Endpoint Security agent). Policy templates now have recommended settings, so you can start with the default policy framework and adapt it as required. You can also remotely refresh device policies. Software inventory and distribution tools remain a key part of the service, with support for both Microsoft and third-party applications, as well as giving you the tools for managing and controlling both operating system and application updates. If you're working with branch offices, there's also the option to use Microsoft's peer-to-peer software distribution tools to simplify application distribution, keeping bandwidth usage to a minimum.

Windows Intune 3
The Intune user portal gives users a single place to manage their registered devices, as well as find and download applications. Built using Metro design principles, you can customise colours and basic layout, as well as adding contact information.

Intune 3.0 also includes a web-based user portal. Log in and you'll see a software catalogue, as well as tools for installing the Intune Management Agent (and the option of calling support helpdesks). It's easy to configure, although customisation options are limited to adding a company name, contact details and changing the colour of the minimalist Metro-style tiles. There's also a mobile version of the portal, which works with supported mobile devices — and can be used for over-the-air installation of line-of-business applications. Microsoft is making a big bet on BYOD.

Windows 8 tablets — especially Windows RT devices — are unlikely to be domain managed. You'll be able to control them through Intune, using familiar tools to work with tablets and phones, while users can install approved software via the web portal. Windows RT tablets will ship with a built-in management agent, and Microsoft has demonstrated a Windows 8 Metro-style application for application deployment that's very similar to Intune's user portal.

Conclusions
The need for an on-premise Exchange Server is the one big flaw in the current version of Intune. Organisations that have made the shift to the cloud for user and device management are likely to have also moved their productivity servers to the cloud, using services like Office 365. If Intune is to support these users it needs to either implement a variant of EAS that only pushes device policies (for organisations using Google Apps), or at the very least, integrates with Office 365's cloud Exchange servers.

Windows Intune
Intune is designed for networks that use Exchange for email access. You can use the policy tools in Intune to control access to mail servers — locking down access to corporate resources unless devices accept your policies.

It's clear that Intune is an important piece of Microsoft's management tools strategy. Improved alignment between the System Center and Intune teams means it's easy for administrators to switch from one platform to the other, with many common features. Intune brings together tools from Configuration Manager and Operations Manager, giving you much of what you need to manage users and devices in small and medium-sized businesses, while letting you pay for what you use. There's an added bonus, as an Intune subscription still includes usage rights for Windows 7 Enterprise.

Microsoft has been able to build on the System Center heritage in Windows Intune 3.0, as well as on its investment in cloud services like Office 365. The result is a one-stop shop for SME device management that's also ready for most enterprise use cases — as well as providing a platform for handling many BYOD issues. With Intune 3.0 now offering this range of capabilities there remains one final question: why use on-premises management tools at all?

Topics: Cloud, Apps, Microsoft, Reviews

Simon Bisson

About Simon Bisson

Simon Bisson is a freelance technology journalist. He specialises in architecture and enterprise IT. He ran one of the UK's first national ISPs and moved to writing around the time of the collapse of the first dotcom boom. He still writes code.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

3 comments
Log in or register to join the discussion
  • Another site says otherwise on your point above:

    "Windows 8 tablets — especially Windows RT devices — are unlikely to be domain managed"


    http://betanews.com/2012/04/23/microsoft-enterprise-licensing-changes-favor-windows-rt-put-android-and-ios-in-their-place/

    [The blog's description of the CDL has some quirks that deserve close examination. Aside from the fact that iPad owners need to buy it while Windows RT device owners don't, there's this:

    The CDL, even at extra costs doesn't level the playing field for non-Windows devices, since VDA rights are mentioned for Windows RT, but not for the CDL.
    Windows RT devices can use their VDA rights to access "a full VDI image running in the datacenter"; iPads get the right to access "their corporate desktop".
    The Windows RT right doesn't specify how many devices it applies to; the CDL applies to "four personally owned devices".]


    What are your points on this?

    Thanks
    nessrapp
    • Not quite...

      The Betanews article is about the licensing requirements for Remote Desktop access on devices - and while a remote desktop or a VDI image can be domain managed, Windows RT most definitely cannot.

      In practice Windows RT tablets are likely to be managed by Intune or similar for basic policies and for enterprise application loading, using a Azure AD user identity. More complex scenarios involve using the same device to access a Remote Desktop session or a Remote App, but in both cases it's the AD managed user identity that's key - not the device.

      What Microsoft is doing is beginning to turn the ship of IT away from device-centric management to the far more practical user- and information-centric approaches that are needed for cloud and BYOD scenarios.
      sbisson
      • Thanks

        for the response :)
        nessrapp