Microsoft Intune: What's New in 2023?

According to data from their latest report, PWC reported that CEOs in Tech have assign a complexity level of 10 to seven of 11 areas in their organizations. Data seems to be a chief point of concern, especially among large companies (revenues of $1 billion or more). Data governance (77%) and the data infrastructure (77%) ranked highest among areas of “unnecessary and avoidable” complexity. 

However, in June 2021, the Solarwinds IT trends report claimed that 54% of respondents had visibility into less than half of their app and infrastructure estate.

In the past few years, CTO’s have stressed the evolving needs of hybrid work and increasing security threats in the past few years. This has forced them to pay for multiple tools from different vendors. Micrsoft endpoint management helps to consolidate these tools, saving IT admins time and contributing to the health and performance of endpoints. 

Microsoft Intune Overview

Microsoft Intune is a mobile device management (MDM) and mobile application management (MAM) cloud-based service. Through Microsoft Intune, you can control how your organization's devices are used, including tablets, laptops, and mobile phones. 

Part of Microsoft Endpoint Manager, Intune, can integrate with Azure Active Directory and Azure Information Protection. 

Through Intune you can:

• Prevent emails from being sent to people outside your organization
• Allow employees to use personal devices for school or work
• Isolate personal data from organizational data
• Deploy Microsoft Office 365 apps easily to devices within your organization

Microsoft Intune Features

• Device Management
• Application Management
• Compliance and Conditional Access
• Solve Common Business Problems
• Define Your Own App Protection Policies
• Remotely Managed Devices
• Reports and System Logs
• Task Creation and Management

For the most current Microsoft Intune pricing, click here.

Microsoft Intune Benefits

Microsoft Intune provides your organization with the flexibility it needs to control your critical date, regardless of the device. Due to its cloud-based feature, Intune can work to secure iOS Windows and Android devices from one single mobile solution.

Microsoft Intune Benefits: 

• Data Encryption
• Mobile Device Tracking
• Password Enforcement
• Device Inventory
• Remote Data Wiping and App Distribution

Read here for a complete guide of Microsoft Endpoint Manager.

Microsoft Intune 2023 New Releases

The 2023 Microsoft Intune service release is rolling out this year, beginning in January with many new and improved application management features. They are releasing macOS software update policies, introducing public preview of Microsoft Tunnel for Mobile Application Management (MAM) on iOS. An additional capability in this new release is the updated app supersedence and tracking experience for win32 apps. 

Microsoft also has announced the launch of a new advanced endpoint management solutions suite in March 2023. This new plan will help you go further in simplifying endpoint management, securing your hybrid workforce, and delivering enhanced user experiences across your organization.

Remote Help, Microsoft Tunnel for Mobile App Management, and more advanced management capabilities will all be available in the new Microsoft  Intune premium suite, which we will be covering more in depth later. 

Software update policy management for macOS devices

Keeping apps updated on your users' devices gives them access to the newest productivity features, while maintaining app security and stability. App update management is crucial for a company's network. Intune simplifies the IT workload by enabling a single user the ability to oversee and manage devices throughout the company. 

Until now, managing software updates on macOS devices was entrusted to external third-party tools. Now, with Intune, macOS software update policies on supervised devices are available. 

This will enable you to control the timeframe of software updates. IT admins can now manage firmware, configuration files, and other critical updates with ease. With Intune, IT admins can manage vulnerability patches. The 2023 updated version of XProtect, Gatekeeper, Malware Removal Tool, and built-in apps (like Safari) mitigates security risks.

Microsoft Tunnel for MAM on iOS

In the manufacturing, finance, and healthcare industries, there are strict compliance and security requirements. As a result, only authorized users are given access to corporate resources from personal devices. These permitted users can either use multiple devices or import this data from all locations onto a single device. 

Following the 2301 deployment, which is expected early February, Microsoft will be releasing in public preview Tunnel for MAM on iOS. Microsoft Tunnel for MAM extends their VPN gateway to unenrolled iOS devices for secure access to on-prem apps and resources using single sign-on, modern authentication, and conditional access. 

Employees will be able to safely access resources on their unmanaged iOS devices without the fear of their device functionality or personal privacy being compromised. Device enrollment will not be required, therefore expanding on existing Microsoft Tunnel capabilities for Intune managed devices. Microsoft has also partnered with Edge to add Tunnel for MAM on Android and iOS which will be released in public preview soon.

From a business perspective, this allows IT Pros to manage corporate access without requesting enrollment, while still enhancing security and compliance for sensitive data access from personal devices. Organizations can implement a bring your own device (BYOD) program rather than purchasing corporate-owned devices for all employees, ensuring corporate data and user privacy will remain protected on all devices. 

This new feature will be included with Microsoft Intune Suite once it becomes available.

Improvements to Application Supersedence

The Win32 app supersedence feature permits admins to upgrade or replace current Win32 applications with newer versions of the same or different app in a controlled practice. Since its start, there has been a large amount of positive feedback regarding the way supersedence helps admins streamline app updates. 

Managing applications and all associated updates enhances user productivity and security as users access corporate data and applications from their Windows devices. This January, Microsoft is announcing general availability for Win32 application supersedence.

Here are the customer-requested improvements for how Intune should manage Win32 apps:

• Delivering the ability to create supersedence and dependency relationships within the same set of targeted applications for more experienced application update scenarios
• Authorizing dependent applications to be uninstalled
• Providing more consistent applicability, requirement, and detection checks
• Reinforcement for application supersedence tracking in the Enrollment Status Page and more improvements to ESP app tracking

Microsoft is currently in the process of releasing the new Win32 app supersedence feature set. For more information on improvements to app management and the timeline for release, read here. 

Microsoft Intune Premium Suite

In the Microsoft Intune Premium Suite, the capabilities delivered within the suite will allow organizations to:

• Consolidate and centralize the tools they use to protect and maintain their digital estate
• Provide remote assistance
• Eliminate the risks of local admin users
• Support a BYOD device model with secure access for unenrolled mobile devices
• Boost the health and performance of Windows endpoints
• Minimize the complexity and effort of app deployments and updates

Android and Windows Remote Help

The initial version of Remote Help for Windows was launched last April, and in the March 2023 release, you will see enhancements to the Windows experience as part of the advanced management suite. For example, you will see ServiceNow integration, that incorporates service management information with Intune for quicker resolution of users' problems. 

Additionally, there will be better messaging for visibility into why devices might not be compliant. IT Helpdesk workers will have the ability to hear audio from the person receiving remote assistance. The release also highlights enhanced elevation, where interaction with the User Account Control prompt helps to resolve issues regarding alternate admin credentials. Enhanced elevation provides a better blend of user experience and security through just in time elevation requests from helpdesk personnel. 

Another huge enhancement will arrive when Microsoft launches support for Android, which is significant in helping admins remotely serve their Frontline Workers. To give an example, admins will have means to contact users with Android devices in their companies, remotely diagnose the problem, and work with the Android user to resolve the issue immediately so they can get back to work. 

Microsoft Endpoint Privilege Management

In early 2023, companies with subscriptions to Microsoft Intune can experience Microsoft's Intune Endpoint Privilege Management solution in public preview. This will help to manage and automate when workers have permission to use admin privilege for specific tasks on both Windows co-managed and cloud connected endpoints.

With this great feature, you will no longer need to make users local admins. Instead, users can have standard account privileges and be assigned admin privilege for specific tasks, depending on your company policies. These elevated privileges help improve user productivity as well as security posture. 

The purpose of this solution is to provide IT admins with the tools they need to ensure their employees are self-sufficient. Microsoft is looking to do this within the principles of a Zero Trust architecture, which refers to using the least privileged access. 

Endpoint Privilege Management will allow you to set parameters to configure a standard user's permissions to be automatically granted access or ask for credentials. This automation tool helps your organization to securely perform tasks like adding approved apps or devices without needing to contact your IT helpdesk, saving time and money. 

Intune Endpoint Privilege Management will begin rolling out as part of the suite of advanced endpoint management solutions and you can request add-ons for your existing subscription. 

Intune: Device Compliance & Protection

Any devices enrolled with Intune (Microsoft Endpoint Manager) are required to be tested for compliance prior to granting access to Cloud applications. 

The device compliance status chart illustrates the compliance states for all Intune enrolled endpoints. The device compliance states are held in two different databases: Azure Active Directory and Intune.

Listed below are descriptions on the different device compliance policy states:

• Compliant: The device successfully applied one or more device compliance policy settings.
• In-grace Period: (Not supported by Linux) The device is targeted with one or more device compliance policy settings. But the user hasn't applied the policies yet. This means the device is non-compliant, but in the grace period defined by the admin.
• Not evaluated: (not supported by Linux) An initial state for newly enrolled devices. Possible reasons for this state could be: 
  • Devices that aren't assigned a compliance policy and don't have a trigger to check for compliance
  • Devices that haven't checked in since the compliance policy was last updated
  • Devices not associated to a specific user, such as:
    - iOS/iPadOS devices purchased through Apple's Device Enrollment Program (DEP) that don't have user affinity
    - Android kiosk or Android Enterprise dedicated devices
• Devices enrolled with a device enrollment manager (DEM) account
• Non-compliant: The device failed to apply one or more device compliance policy settings. Or, the user hasn't complied with the policies.
• Device not synced: (Not supported by Linux) The device failed to report its device compliance policy status due to one of the following reasons:
  • Unknown: The device is offline or failed to communicate with Intune or Azure AD for other reasons.
  • Error: The device failed to communicate with Intune and Azure AD, and received an error message with the reason.
• Checking Status: (only applies to Linux) Intune is evaluating the device's compliance with your organization's policies 
  
  

How to Achieve Device Compliance: 

1. Creation compliance Policies for all types of devices (Android, Window, Mac and iOS/iPADOS)
2. Assign the compliance policies to users and devices
3. Modify or update compliance policies | compliance policy settings
4. Create Conditional Access Policies 
   
   

Microsoft Tunnel for Management of Mobile Apps

Tunnel for MAM offers convenience for end users, who can use one device for work and personal use, as opposed to carrying multiple devices. Device enrollment is not required, so corporate data remains protected in the event that an end user does not grant IT control over their personal device. From an organizational perspective, companies can adopt a BYOD program, rather than buying corporate-owned devices for all their employees. This method ensures that user privacy and corporate data will remain secure on BYOD devices. 

Microsoft Tunnel for MAM extends the VPN gateway to unenrolled iOS and Android devices for safe access to on-prem apps and resources. Employees can securely access resources on their unmanaged iOS and Android BYOD devices. With this new functionality, device enrollment is not needed, thus expanding on Microsoft's existing Tunnel capabilities. 

MAM on Android and iOS will be part of the new suite in March 2023. 

Advanced Endpoint Analytics

Endpoint analytics leverages a high level of automation and intelligence to empower IT admins, helpdesks, and end-users to transform their futures. This is done by scientific analysis of the health and performance of your company's endpoints and driving improvement actions through automation. 

This new suite of advanced management solutions will include several analytics features to help IT admins to understand, anticipate, and improve the technology experiences for their employees regardless of their location.

Also, admins can now investigate and address the needs of specific groups of managed devices with enhanced drill-down capabilities. These make it simple for IT admins to identify opportunities for improvement and prioritize targeted actions for those within your organization. In addition, you can understand how the experience quality differs between those who work remotely and those who work in office. 

AI, machine learning, automation, and real time visibility unite in the new anomaly detection capability. Through anomaly detection, admins don't need to monitor custom dashboards, or manage complex alert systems to guarantee devices are working as expected. Instead, they can consult an early warning mechanism to learn about user impacting issues before they are to be reported through alternative channels. This helps reduce loss of productivity due to misbehaving devices, apps, or infrastructure.

Anomaly detection will automatically pinpoint abnormalities like app crashes, unexpected machine reboots, and hardware failures. They are grouped based on severity and provide relevant information, so admins can get to the bottom of the issues immediately on impacted devices.

Automation is critical for the process of resolving issues. Proactive remediations in Endpoint analytics help to fix common support issues before end-users notice there is a problem. With the new capabilities of advanced endpoint management suite, IT admins and helpdesk operators will have the ability to run customized remediation scripts on individual devices on-demand and in real time within their troubleshooting sessions. These scripts deliver instant fixes or modify the device configuration to guarantee devices are always performing optimally. 

Moving Forward and Further Value

The new premium suite of advanced solutions will incorporate more capabilities at launch. For example, organizations are becoming more reliant on purpose-built specialty devices to address business needs, not just smartphones and PCs. Managing and protecting all devices in an organization is a key principle in achieving Zero Trust.

Specialty devices are only getting more intelligent, considering the recent integration of virtual reality headsets/smart devices in conference rooms. These devices increasingly include and have access to company information, proving their secure nature.

Upon availability of the new suite, organizations will have freedom to manage, configure, and protect these specialty devices. For organizations with frontline workers, Intune will provide them with the flexibility to deploy the right device while protecting organizational data with app and conditional access policies. 

Following the initial release, Microsoft will continue to add more capabilities to the suite. They plan to introduce the MAM capability to support multiple company, managed accounts on one device. This will be especially useful to those in professional services, like lawyers for example, who are client-facing but also need to manage employees internally. With several managed accounts. workers can use one device across multiple organizations, allowing flexibility and data protection regardless of the account. 

Other functionality such as advanced cloud certificate management is on the horizon, which will further simplify IT workloads and drive more integrated security. 

You can learn more about premium add-on capabilities through the Endpoint Manager admin center. This hub of information will expand on what licenses you've applied to your tenant and offers Global and Billing admins easy access to the Microsoft 365 admin center. Here, they can start a trial or manage the user licenses for these add-ons, and when ready, the new endpoint management solutions suite.

Launch Details

Microsoft will offer this new cost-effective, premium plan to subscribers of Microsoft 365 E3 and E5 or any plan including licenses for Microsoft Intune. The individual solutions will remain available as standalone add-ons, but the new plan will be available for less than the sum of all the add-ons.

This bundle of advanced capabilities will be a great opportunity for IT teams who have juggled multiple point solutions for a long time, along with the security risks that come from using various, non-integrated solution vendors. March 2023 will mark the beginning of a step-change in Microsoft's endpoint management offer, so we highly suggest starting the planning process as soon as possible.

Read here for more information on Microsoft 365 licensing and how it can benefit your organization. 

How to get started with Microsoft Intune

To get started with Intune, you first need to ensure that you have purchased the appropriate licenses and have complied with the necessary regulations.

After the requirements are met, you’ll need to configure your company’s domain name with Intune. You can then use Azure Active Directory to sync existing users and groups with Intune. Once your users are added to Intune, you can assign them licenses, giving users permission to use Intune. From here, you can begin adding applications, configuring and enrolling devices as needed.

For help getting your organization set up on Microsoft Intune, contact Datalink Networks today for a free consultation!