What's new in Configuration Manager and Microsoft Intune to manage and secure your devices
As you work to empower your employees to be more productive wherever they are, on the devices of their choice, one of your greatest challenge may be how you manage and secure those known and unknown endpoints – without investing additional IT resources. You need a depth of control offered by a robust PC management solution, and the ability to scale to the modern demands of a mobile workforce. How can you transform into an agile service provider that meet these high security requirements without ever compromising user experience?
Building on experience over the past 25 years across every industry vertical, we have worked to offer the most complete unified endpoint management (UEM) platform in the industry, connecting the advanced security and mobility management strengths in Microsoft Intune to the robust Configuration Manager client management capabilities. Today, it’s estimated these products manage over 150 million endpoints at a global scale.
Investing in cloud-connected value
Customers frequently tell us that they need the depth of control offered by a robust PC management solution, and we continue to invest in driving cloud value for our on-premises PC management platform. Many of you have widely adopted Configuration Manager current branch, a cloud-connected version that enables you to stay current with updates three times per year. This week we are releasing Configuration Manager current branch 1902, which will include new insights and capabilities such as:
- New Office analytics: Native integration with the Office Readiness Toolkit provides insights that will help prepare your organization for Office 365 ProPlus deployments. These insights help organizations with the end-to-end readiness, deployment and status tracking of Office 365 ProPlus, all managed with the familiarity of Configuration Manager.
- Updates to CMPivot for real-time queries: CMPivot provides a simple way to quickly investigate the whole device estate using pre-built queries, pivoting the data to answer specific questions relating to compliance and security, for example. You can now access CMPivot from the Configuration Manager Central Admin Site, enabling you to quickly run these queries and remediate where needed.
- New management and client health visibility: Improved management insights simplify and help you prepare for co-management. There are new Management Insight rules for optimizing and simplifying collections and packages. We have also made improvements in client health by providing a dashboard with detailed breakdowns of device status across your organization.
Greater insights empower you to take action, and with the addition of new deployment options, you can accelerate the shift to modernize the way your users work:
- Phased deployments: To accelerate OS and app deployment, phased deployments let you set the order of updates based on device collections, set parameters for those deployments including success criteria, and then execute all phases sequentially. In the Configuration Manager 1902 release, phased deployments now have their own dedicated monitoring node.
- Configuration of known-folder mapping to OneDrive: The ability to configure known-folder mapping to OneDrive from Configuration Manager, provides a streamlined way to seamlessly redirect users’ known folders to OneDrive, and redirecting their data from local folders. This helps simplify user data migration during OS updates.
- Configuration Manager integration with the Office Customization Tool: Streamline deployment of Office 365 ProPlus and other Click-to-Run managed Office products using a simple, intuitive, and web-based interface, surfaced within the Configuration Manager console.
Gain immediate value from co-management
Co-management is about leveraging your existing management infrastructure and connecting it to the cloud to gain management efficiency, greater security and global scale. In just four clicks, you can start delivering immediate cloud value to existing Windows users managed by Configuration Manager, such as:
- Azure Active Directory conditional access: Control user access to corporate resources based on device health and compliance policy signals from Microsoft Intune.
- Azure Active Directory cloud identity: Registering Windows devices with Azure Active Directory is a requirement for co-management, and it lets users take advantage of improved collaboration, productivity and security across the Microsoft 365 stack, within both cloud and on-premises environments.
- Remote Actions: Run remote actions from Intune for co-managed devices. For example, wipe and reset a device and maintain enrollment and account.
- Configuration Manager client health: Maintain visibility of Configuration Manager client health from the Intune portal.
Manage and secure all your devices
The unified endpoint management platform combining Microsoft Intune and Configuration Manager creates one place for you to manage Windows and other endpoints running Microsoft 365 within your organization. It allows you to achieve your digital transformation goals at your own pace, scaling to the security and management demands of an increasingly mobile workforce. Microsoft Intune is leading the innovation march to extend security management across devices, including Windows, macOS, iOS, Android and ruggedized devices:
- Secure browsing extended to all platforms with Microsoft Edge: We are excited to announce Microsoft Edge for iOS and Android will support Microsoft Intune app protection policies to enable the most secure and user-friendly browsing experience for enterprise users. Mobile users who sign in with their corporate Azure Active Directory accounts in the Microsoft Edge application will benefit from the unique ability to separate work and life in the same app, and have fully managed access to corporate resources. Switching from native browsers to Microsoft Edge gives users a greatly improved user experience, and leverages Microsoft 365 security features such as Intune application protection policies, Azure Active Directory conditional access, App Proxy integration, single sign-on, and application configuration settings defined by their IT admins for Microsoft Edge. This solution is expected to be generally available by the end of March.
- Support for ruggedized devices: Microsoft Intune is proud to partner with leading manufacturers of ruggedized devices, including Zebra Technologies and Samsung, to easily provision, deploy, and secure ruggedized scanners, printers, tablets, and handheld devices alongside their information worker and non-rugged deployments, from a unified management console. With upcoming support for new devices using Android Enterprise and deeper integration for existing management methods, Microsoft Intune’s highly scalable, globally distributed cloud service is an ideal management partner for the rugged devices to withstand punishing use and harsh conditions. We estimate the public previews to be available starting next quarter.
- Expanding support for Android Enterprise scenarios: With Microsoft Intune, you can select the right management approach for different use cases and scenarios relevant to your organization. Intune supports Android Work Profile, which requires users to enroll and provides certain device-level controls for IT administrators. If you don’t need the device management capabilities, you may deploy Intune app protection policies (APP) that manage the corporate identities and protect corporate data on devices without enrollment. The Android Enterprise dedicated device mode is designed for locked-down kiosk-style use cases where the device is not associated with a specific user identity. The Android Enterprise fully managed capabilities for company owned devices are now in public preview. Earlier this year, Microsoft also joined the Android Enterprise Recommended program for enterprise mobility management.
- Meeting customers’ top-requested macOS management features: With growing Microsoft 365 adoption on Apple Mac devices, customers have asked us to help simplify their macOS management. We are pleased to announce that some of the most-requested macOS management features will soon be available in Microsoft Intune. A few highlights are FileVault full-disk encryption (FileVault 2) to encrypt the startup disk on your Mac, support for volume purchasing plans (VPP) for macOS, along with other top-requested configuration settings. Here’s a quick review of recent management capabilities for macOS already available with Microsoft Intune
Microsoft Intune remains the best way for you to take full advantage of Windows 10 modern device management (MDM) capabilities. Several new features help you leverage skills and processes honed through on-premises management and use them in the cloud. For instance:
- Windows 10 Security Baselines (in preview) are a group of Microsoft-recommended configuration settings that explain security impact and help you improve your organization’s security posture, increase operational efficiency and reduce costs. If you’re new to Intune, and not sure where to start, then MDM security baselines give you an advantage. You can quickly create and deploy a secure profile to help protect your organization’s resources and data. If you’re currently using Group Policy, migrating to Intune for management is much easier with these baselines natively built into Intune’s modern management platform.
- Administrative templates include about 300 settings that previously only existed in the group policy editor, which can now be managed in Microsoft Intune. They include hundreds of settings that control features in Internet Explorer, Microsoft Office programs, remote desktop, access to OneDrive, using a picture password or PIN to sign in, and more. These fully cloud-based templates offer a simpler way to find and configure Windows settings you want.
- Win32 app deployment has been arguably one of the most anticipated cloud management features. Widely deployed since it became generally available earlier this year, it builds upon the existing support for line-of-business (LOB) apps and Microsoft Store for Business apps to enable Microsoft Intune administrators to add, install, and uninstall Win32 applications for Windows 10 users in a variety of formats such as MSI, Setup.exe, or MSP. New capabilities added recently include the option to install Win32 apps in user context for individual users, as well as installing for all users of the device; delivery optimization for app content download; install status in the troubleshooting blade; ability to suppress showing end user toast notifications per app assignment; and more.
- Endpoint protection for Windows 10 and newer devices continues to evolve in Microsoft Intune. Endpoint protection lets you control different security features on your devices –including firewall, BitLocker, Microsoft Defender — allowing and blocking apps, and more. You can configure these settings in Microsoft Intune using device profiles. Check out the latest support for remediation of vulnerable apps using Microsoft Intune security tasks with Microsoft Defender ATP Threat & Vulnerability Management.
- Windows Autopilot provides a simplified experience for both you and your users in the following situations — set up and preconfigure new Windows 10 devices, and reset, recycle, and recover existing Windows 7 devices. Windows Autopilot with Microsoft Intune now supports several scenarios, all of which are maximized with co-management. Users can drive their own deployments of new devices into either Azure Active Directory or Active Directory with hybrid Azure Active Directory join; you can set up self-deploying kiosks and shared devices using Windows Autopilot and the Intune device-only subscription; or use Configuration Manager to migrate existing Windows 7 devices to Windows 10 and Azure Active Directory.
Microsoft unified endpoint management (UEM) maximizes the productivity of the devices and apps your employees choose to get work done. This article gives you a glimpse into the exciting magic our teams are busy creating for you, and we now have more ways for you to stay up-to-date with the latest releases and roadmap: the What’s New page covers an overview of everything released in the last six months; the In Development page gives you a sneak-peek at features estimated to release within the next quarter or sooner; and the Microsoft 365 public roadmap shares our longer term vision to help with your strategic planning.
More info and feedback
Learn how to get started with Microsoft Intune and Configuration Manager in this series of video blogs on cloud-connecting your management infrastructure. Don’t have Microsoft Intune? Start a free trial or buy a subscription today!
As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page.
Follow @MSIntune on Twitter
(This post is co-authored by Locky Ainley and Mayunk Jain, Product Managers, Microsoft 365 Security)
Source: EM+S Blog Feed