Out of Tune? Is Microsoft Intune Right for Managing Your Mobile Devices in 2022?

Intro and Background of Intune (Microsoft Endpoint Manager)

Nothing is ever truly free in this world.

Microsoft may like you to think their Unified Endpoint Manager (UEM) solution is free to use (since it’s included in existing Microsoft 365 subscriptions), but a lack of features and options will leave you wondering if the savings are truly worth it.

Sure, it sounds appealing to those managing IT budgets when compared to the high costs of competitors like WorkspaceONE and SOTI, but what is the true “cost” of choosing Endpoint Manager to remotely manage your Android devices.

This article will provide an Android-focused viewpoint of Microsoft Endpoint Manager and what should be considered when selecting it as your organization’s UEM.

First, let’s start with a little background:

What is a UEM?

Unified Endpoint Manager is a single pane of glass to configure, manage and secure endpoint devices (e.g., laptops, tablets, and handheld devices).

Why do you need one?

UEM ensures company security standards remain enforced and allow necessary software to install on devices. Network configurations become implemented to prevent WiFi password sharing and access to settings. All this and more is done via a UEM, acting as the device owner.

What does Microsoft offer?

Microsoft’s UEM offers an Endpoint Manager (formerly known as Intune) for Windows, Apple, and Android devices. Existing Microsoft 365 subscriptions allow for additional licenses. Each use case varies, so not every device/user may require a license.

What other options are available?

Endpoint Manager is generally a lower-cost option. However, when compared to other UEMs, it isn’t as feature-rich or mature. Many organizations are evaluating and experimenting with migrating to Endpoint Manager for two main reasons: reducing spending for device management and potential integration with existing O365 and Active Directory accounts.

Endpoint Manager - Intune Benefits / Unique Offerings

With Endpoint Manager closely tied into the Microsoft ecosystem, several benefits come with consolidating your platforms and vendors.

Cost

The low license cost drives many organizations to consider Endpoint Manager. Organizations who already have access to Endpoint Manager with their Microsoft 365 Enterprise license have a smoother transition. Others will need to add the S3 or S5 Enterprise Mobility + Security package to their subscription or purchase access standalone. A single user is as low as $6/year and can enroll unlimited dedicated devices (i.e., shared and kiosk). If the requirement is a bring your own device (BYOD) or corporate-owned, personally enabled (COPE) model, each user will need a separate subscription. Microsoft pricing information lives here.

Microsoft Integrations

Endpoint Manager’s integration with Office 365 apps and other Microsoft products is super convenient. Your organization may already be leveraging these products and applications. At the very least, end-users might be somewhat familiar with the software. Implementing Microsoft integrations could be a natural evolution from workstations and desktops to mobility for your employees.

MS Authenticator
Microsoft’s 2FA app can easily be deployed and preconfigured. For organizations using a shared device model, Endpoint Manager is currently the only EMM that can preconfigure Authenticator to operate in a shared mode for Android and provide SSO to Teams. More apps will be added and supported in the future.

O365 Apps

Similar to other EMMs, Office 365 can be assigned and set up with Managed Configs from the Play Store. But it also has the unique option to deploy as a “built-in app.” Allowing for customization of the name and icon while automating the licensing of tools like Word and Excel.

Azure AD
If you’re using Azure Active Directory for identity management, users’ accounts are all ready for access and assignments. Features like self-service password reset, group membership, and machine learning-based security are available. Your end-users should know their AD account credentials, and keeping a single account across all systems will be appreciated.

UEM

Though this blog focuses on Android, Endpoint Manager is a true Unified Endpoint Management tool supporting Windows, Apple, and Android. It suffices as an organization’s single tool for device management. 

Hosted in Azure, Endpoint Manager is a cloud-based solution without an option for on-prem hosting. Many other UEMs have an on-prem option, but since BlueFletch generally recommends the cloud-hosted version of UEMs/EMMs this may not be a huge concern. 

Endpoint Manager - Intune Limitations

As previously alluded to, there are a number of shortcomings with Endpoint Manager that will require workarounds or considerations.

New Product

Endpoint Management is a relatively new solution compared to WorkspaceOne and SOTI MobiControl. There are still a lot of features in development, but luckily Microsoft is transparent about what’s upcoming via their docs. A question you need to ask yourself: is being an early adopter worth the low license costs? The solution is Android Enterprise Recommended, but it does lack some of the richer features available in competitors’ products.

Remote Control

Remote Control is an invaluable tool for IT and Help Desk teams supporting large device deployments. This feature allows device managers to connect to and control devices, streamlining service when resolving issues.


Microsoft resells TeamViewer for remote control with handheld devices, a separate and considerably more expensive license. Windows PCs include Remote Control, illustrating Microsoft’s roots and their slow process of embracing Android.

Analytics and Compliance Reporting in Intune

When testing Endpoint Manager, we went through the main use cases of creating Android policies, approving apps, and assigning them to devices. One of the biggest complaints our staff received was a latency in compliance reporting and a lack of analytics data. We saw device enrollment taking >10 mins to appear and app assignments showing stale data.

 

Having access to in-depth device analytics gives administrators a better way to troubleshoot and resolve potential issues. Without analytics, potentially dangerous threats could compromise the integrity of your company’s most sensitive data.

 

 

Operations teams noted that insight into application utilization and processes helps determine how to best focus efforts and resources for future planning. Viewing richer device usage and health data is needed to support large handheld fleets. Consider alternatives for analytics, such as our Support Agent.

Pushing Files to Devices

The lack of file manipulation on Android devices is the last limitation giving pause. Does your application have an external configuration file? Are there custom certificates that need installation? Do you have a datawedge profile that scans different barcodes? If you answered yes to any of these questions, then Endpoint Manager will require alternative strategies for you.

Filling the Gaps with BlueFletch

So, you’ve made it this far and are still considering Endpoint Manager for your organization’s mobile devices. But how will you work around the limitations mentioned above? 

BlueFletch addresses these shortcomings and more.

Our suite of applications function in tandem with Endpoint Manager to provide more admin control, better end-user experience, and richer analytics for Android enrollment. Our tools supplement any UEM/EMM that might lack features only available in our software. Below is a highlight of features that may interest you to accompany Endpoint Manager:

Our MDM agent can coexist with Endpoint Manager while providing control of applications and file management. If you need to push a configuration file, certificate or trigger an Android intent, you can do so in that exact order! We also support sending Honeywell and Zebra XML without setting up Managed Configs for these OEM Config applications from the Google Play Store.

Full view and control of a user’s handheld, with the ability to execute advanced commands (e.g., reboots and file control). We also don’t require the end-user to accept any prompt to allow screen share – it’s completely automated.

Microsoft offers very basic home screen replacements for Android devices. While this may suffice for kiosks or single-use devices, it provides an extremely limited feature set for end users. Our Enterprise Launcher presents a customized role-based UI to each user with single sign-on to their applications and security controls to protect corporate property and data. The Enterprise Launcher also has site awareness based on network IP addresses or GPS data, furthering customization and localization of the home screen with one common configuration across the enterprise. Our role-based access is another feature that will surely excite UEM/EMM admins. When a user logs into Azure AD, we capture the AD groups and roles within the organization and provide access to only the applications appropriate for that job role. This allows an admin to push all applications to all devices (and not worry about deployment groups) while leaving the Launcher to handle access dynamically.

Conclusion

Make a suggestion and provide the next steps

As you begin to lab test Endpoint Manager, let me know if you have any questions on UEM best practices. There are many considerations and requirements your organization has that I’m sure I haven’t yet covered. Please feel free to reach out to me at info@bluefletch.com and I’ll do my best to point you in the right direction. I hope you found this article informative and helpful!

Patrick McGlynn

Patrick McGlynn

Patrick is a Technical Project Manager at BlueFletch.

Subscribe to BlueFletch's
The Enterprise Mobility Roundup podcast!