Intro and Background of Intune (Microsoft Endpoint Manager)
Nothing is ever truly free in this world.
Microsoft may like you to think their Unified Endpoint Manager (UEM) solution is free to use (since it’s included in existing Microsoft 365 subscriptions), but a lack of features and options will leave you wondering if the savings are truly worth it.
Sure, it sounds appealing to those managing IT budgets when compared to the high costs of competitors like WorkspaceONE and SOTI, but what is the true “cost” of choosing Endpoint Manager to remotely manage your Android devices.
This article will provide an Android-focused viewpoint of Microsoft Endpoint Manager and what should be considered when selecting it as your organization’s UEM.
First, let’s start with a little background:
What is a UEM?
Unified Endpoint Manager is a single pane of glass to configure, manage and secure endpoint devices (e.g., laptops, tablets, and handheld devices).
Why do you need one?
UEM ensures company security standards remain enforced and allow necessary software to install on devices. Network configurations become implemented to prevent WiFi password sharing and access to settings. All this and more is done via a UEM, acting as the device owner.
What does Microsoft offer?
Microsoft’s UEM offers an Endpoint Manager (formerly known as Intune) for Windows, Apple, and Android devices. Existing Microsoft 365 subscriptions allow for additional licenses. Each use case varies, so not every device/user may require a license.
What other options are available?
Endpoint Manager is generally a lower-cost option. However, when compared to other UEMs, it isn’t as feature-rich or mature. Many organizations are evaluating and experimenting with migrating to Endpoint Manager for two main reasons: reducing spending for device management and potential integration with existing O365 and Active Directory accounts.
Endpoint Manager - Intune Benefits / Unique Offerings
CostThe low license cost drives many organizations to consider Endpoint Manager. Organizations who already have access to Endpoint Manager with their Microsoft 365 Enterprise license have a smoother transition. Others will need to add the S3 or S5 Enterprise Mobility + Security package to their subscription or purchase access standalone. A single user is as low as $6/year and can enroll unlimited dedicated devices (i.e., shared and kiosk). If the requirement is a bring your own device (BYOD) or corporate-owned, personally enabled (COPE) model, each user will need a separate subscription. Microsoft pricing information lives here.
Endpoint Manager’s integration with Office 365 apps and other Microsoft products is super convenient. Your organization may already be leveraging these products and applications. At the very least, end-users might be somewhat familiar with the software. Implementing Microsoft integrations could be a natural evolution from workstations and desktops to mobility for your employees.
Microsoft’s 2FA app can easily be deployed and preconfigured. For organizations using a shared device model, Endpoint Manager is currently the only EMM that can preconfigure Authenticator to operate in a shared mode for Android and provide SSO to Teams. More apps will be added and supported in the future.
Similar to other EMMs, Office 365 can be assigned and set up with Managed Configs from the Play Store. But it also has the unique option to deploy as a “built-in app.” Allowing for customization of the name and icon while automating the licensing of tools like Word and Excel.
If you’re using Azure Active Directory for identity management, users’ accounts are all ready for access and assignments. Features like self-service password reset, group membership, and machine learning-based security are available. Your end-users should know their AD account credentials, and keeping a single account across all systems will be appreciated.
Though this blog focuses on Android, Endpoint Manager is a true Unified Endpoint Management tool supporting Windows, Apple, and Android. It suffices as an organization’s single tool for device management.
Hosted in Azure, Endpoint Manager is a cloud-based solution without an option for on-prem hosting. Many other UEMs have an on-prem option, but since BlueFletch generally recommends the cloud-hosted version of UEMs/EMMs this may not be a huge concern.
Endpoint Manager - Intune Limitations
As previously alluded to, there are a number of shortcomings with Endpoint Manager that will require workarounds or considerations.
Microsoft resells TeamViewer for remote control with handheld devices, a separate and considerably more expensive license. Windows PCs include Remote Control, illustrating Microsoft’s roots and their slow process of embracing Android.
Analytics and Compliance Reporting in Intune
When testing Endpoint Manager, we went through the main use cases of creating Android policies, approving apps, and assigning them to devices. One of the biggest complaints our staff received was a latency in compliance reporting and a lack of analytics data. We saw device enrollment taking >10 mins to appear and app assignments showing stale data.
Having access to in-depth device analytics gives administrators a better way to troubleshoot and resolve potential issues. Without analytics, potentially dangerous threats could compromise the integrity of your company’s most sensitive data.
Operations teams noted that insight into application utilization and processes helps determine how to best focus efforts and resources for future planning. Viewing richer device usage and health data is needed to support large handheld fleets. Consider alternatives for analytics, such as our Support Agent.
Pushing Files to Devices
Filling the Gaps with BlueFletch
So, you’ve made it this far and are still considering Endpoint Manager for your organization’s mobile devices. But how will you work around the limitations mentioned above?
BlueFletch addresses these shortcomings and more.
Our MDM agent can coexist with Endpoint Manager while providing control of applications and file management. If you need to push a configuration file, certificate or trigger an Android intent, you can do so in that exact order! We also support sending Honeywell and Zebra XML without setting up Managed Configs for these OEM Config applications from the Google Play Store.
Full view and control of a user’s handheld, with the ability to execute advanced commands (e.g., reboots and file control). We also don’t require the end-user to accept any prompt to allow screen share – it’s completely automated.
Make a suggestion and provide the next steps
As you begin to lab test Endpoint Manager, let me know if you have any questions on UEM best practices. There are many considerations and requirements your organization has that I’m sure I haven’t yet covered. Please feel free to reach out to me at email@example.com and I’ll do my best to point you in the right direction. I hope you found this article informative and helpful!