Microsoft has updated its cloud-hosted management platform with expanded OS support and direct (EAS-free) management of a range of mobile devices. It can also integrate with the on-premises System Center 2012.
The latest version of Microsoft's cloud-hosted device management software, Intune, is now available. Cloud development is different. In the old way of delivering apps, we'd have expected each release to be a significant upgrade, with new tools, new features, and often a whole new user interface. That's not the case in the cloud world, where releases take a more incremental approach, building on what's gone before. That's certainly the case with this fourth release of Intune, which Microsoft is calling "Wave D", adding support for Windows 8, Windows RT, and Windows Phone 8.
What's most important about this release of Intune is that it's a pointer to a more modern way of managing users and devices — one that's more in tune with the growing popularity of bring your own device (BYOD) schemes. Intune isn't about making devices part of a controlled environment — it's about understanding what rights users have, and what tools they need to support their tasks. Using Intune, you can control the software offered to devices via a corporate store, and ensure that users' devices are secure and have the latest software updates.
We've looked at Intune before, and the familiar Silverlight-based management user interface is still there. With Microsoft's move to a flatter, modern design language across many of its other management tools, Intune's design is starting to look a little old; given Silverlight's still-uncertain future, we were surprised that it hadn't made a transition to HTML5 — especially as some key elements, like the Company portal and the Admin portal, share the modern look and feel with Office 365.
Welcome to Wave D
One of the key new features in Intune Wave D is direct management for Windows Phone 8, Windows RT, and iOS. This is an important change, as it means you're no longer tied to delivering management through Exchange and Exchange ActiveSync (EAS), removing the requirement for an on-premises Exchange server for managing devices with a cloud service. Direct management also means you'll get deeper information about the managed devices that you would via EAS, letting you see IT policy violations and other errors. You'll also be able to side load enterprise applications (both your own and third-party apps) onto devices, as well as managing any enterprise licenses you have for specific applications.
You'll need to register a domain name with Intune in order to use these tools. Registering a domain is easy if you're using Office 365, and are using the same account to manage Office and Intune, as any cloud-managed domains will automatically be provisioned in Intune (along with any users in an Azure Active Directory). New domains can be registered by either setting a TXT or MX record. Tighter integration between Intune and the Azure AD means it's a lot easier to provision users — especially if you're synchronising with an on-premises directory. All you need to do is choose a user in the admin portal, and you're a click away from provisioning them in Intune.
The Intune Corporate Portal adds extra features, with the ability to deep link into the Windows Store to handle distribution of approved applications to Windows 8 and Windows RT devices.
Manage users, not devices
Intune's user-centric approach to management is key to supporting BYOD. Users can have multiple devices associated with their accounts, using the familiar desktop agent to manage laptops and PCs, or mobile devices managed through EAS, or with new direct management agents. Once a user is associated with a device, they can be added to a group, and the group is then used to distribute software and policies as needed. Where Intune is used to manage a BYOD fleet, policies are likely to be simple, with few deployed applications. What's essential here is ensuring devices are secure and up to date, with any line-of-business software widely available.
If you're using System Center 2012 to manage a population of corporate devices, you can make Intune part of your management platform with a new Intune connector. Once this is installed, you'll be able to use the System Center Configuration Manager console to control cloud-managed devices along with the rest of your network — bringing BYOD into the same management environment, while still preserving users' independence. It'll also mean that you can take advantage of Intune's MDM features, with System Center gaining the ability to manage iOS, Windows Phone 8, and Windows RT (as well as Android via EAS) alongside Windows PCs and servers. The connector also increases the population size Intune can manage, letting you work with up to 10,000 devices, and allows you to configure VPN connections for Windows RT devices.
Mobile device management
Getting Intune to manage Windows RT devices is relatively simple. Users will first need to enrol with the service using a registered user account. You can set up an autodiscover address for the Intune service by setting a CNAME for supported domains — otherwise, users will need to enter the full name of the registration service. Setup requires you to open the Windows control panel and, in the System section, choose the RT-only Company Apps option to start the device registration process.
Registering an RT device with Intune sends you to the Windows Store to download the company store app. This wraps the web company portal as a desktop app, so users will need to log in to access published apps and support information. That means you only need to configure this information once for all devices — whether using the web portal, EAS management, or local device management and apps.
Things are more complex for Windows Phone 8. You'll need to have a company developer account on the Windows Phone Dev Center. That will let you generate a certificate that can be used to sign the Windows Phone company portal app, which will be distributed by Intune when users register their devices with the service. The Company Store is downloaded as part of the registration process, and it gives users a single place to get support information and install applications. If you don't want to use the new tooling, then you can still use the web-based company portal to deliver links to apps and to provide support information (although this will require using EAS and an Exchange server to manage devices).
Similarly, you'll need to have an Apple Push Notification account to use the iOS direct management tools. These take advantage of iOS's built-in mobile device management features, with management profiles delivered when users register. Once a profile is delivered to an iOS device, users will also get a link to the web-based company portal.
Microsoft has also changed the way Intune is licensed to support its role as a BYOD management tool. Instead of a PC-based model, where each license included rights to use the latest Windows release, Wave D introduces a new user-centric default license, at £3.91 (US$6) per user per month. This gives you the tools to manage up to five devices per user — for example, a PC, a tablet, and a couple of smartphones. For organisations with more complex needs there's a higher tier that adds a Software Assurance license, allowing one device per user to be upgraded to Windows 8 Enterprise for £7.17 (US$11) per user per month.
Although Intune Wave D looks much the same as its predecessors, underneath the surface it's a much more capable tool. Improved mobile device management tools are the most obvious upgrade, along with integration with the on-premises System Center management suite. We'd have preferred less complex tools for managing some device classes, though — device security models do get in the way of delivering a simple experience. Despite that caveat, a focus on supporting BYOD scenarios is welcome, as is support for more than just Windows devices. This reflects an understanding that BYOD is about letting users choose the devices they want, not the devices that IT wants to manage.