Mastering Microsoft Intune (Without Losing Your Mind)
Apr 15, 2025
It starts with a question. One you've probably asked in a meeting, half-glazed, half-worried: *"What the hell is Intune, and why do we need it?"*
Let’s drop into a fictional-but-not-firm, Crunching Numbers. It’s a 50-person accounting outfit - laptops, iPhones, freelancers, deadlines. The usual. Half the team’s using company gear. The other half? Personal phones, mixing Teams notifications with Candy Crush.
Enter Intune. Microsoft’s answer to the modern IT nightmare: BYOD, app sprawl, and data leaking out of every unlocked iPhone.
Why Should You Care?
Intune is what you'd get if Microsoft tried to be your IT department. Cloud-based. Centralised. Quietly judging every device, you let near your company data.
For Crunching Numbers, it means:
- Managing devices without asking Phil in accounting to stop using Windows 7.
- Letting people use their phones, without also handing them your client list.
- Pushing apps, updates, and policies in one go.
The Hidden Cost
No, Intune isn’t free. But Microsoft *loves* a bundle.
Instead of buying Intune Plan 1 (£8 per user/month), just go for Microsoft 365 Business Premium (£16.90) - it includes everything Intune Plan 1 offers, plus email, Teams, and Office.
If you’re already paying for Business Premium, you have Intune. Use it.
Company Devices vs Personal Chaos
Crunching Numbers has:
- Windows desktops and laptops
- Company iPhones for execs
- Freelancers on their own devices
Here’s how you draw the line:
- Company-owned device - get fully enrolled in Intune. You control the lot.
- Personal devices? - Use *App Protection Policies* - they protect Outlook and Teams without touching private photos or Spotify playlists.
Getting Started: The Basics
To manage anything, go here:
1. Microsoft 365 Admin Centre
2. Expand "Admin Centres"
3. Open *Microsoft Intune*
Then, pop over to **Microsoft Entra** (formerly Azure AD). This handles users, device identities, and access control. Think of it as Intune’s grumpy older brother.
Enrolment: Who Gets In
In Intune:
- Go to Devices > Device Onboarding > Enrolment
- Set limits (e.g., 5 devices per user)
- Block personal Windows devices if you want control
Pro tip: Intune can’t actually tell what’s personal vs company owned. Use Windows Autopilot to pre-register company gear.
Enrolling a Windows Device (The Intune Way)
- On the Windows device: Settings > Accounts > Access work or school
2. Hit "Set up for work or school"
3. Sign in with your Microsoft 365 account
4. Complete MFA (because of course)
5. Device joins Entra ID, syncs with Intune
Within minutes, it shows up in both admin centres. From there, you can nuke it, lock it, or just check it’s alive.
And If It’s Already in Use?
Go to Settings > Accounts > Access Work or School > Add account. Done. (Assuming you’re not blocking personal devices.)
Apple & Android Devices: Same Rules, Different Wrappers
Apple gear:
- Company-owned? Use Apple Business Manager + Automated Device Enrolment
- Personal? Stick with App Protection Policies
Androids:
- Company-owned? Use Android Enterprise
- Personal? Android Work Profile + Intune Company Portal app
Device Groups That Sort Themselves
Enter Dynamic Groups in Entra:
- Devices get grouped by OS, ownership, or anything else.
- Users can be grouped by department, location, etc.
This means:
- Set a policy once
- New devices/users auto-inherit it
Example:
- Group: Windows 11 Devices
- Rule: OS starts with "Windows 11"
- Result: Every new Windows 11 device = instantly managed
Defender + Intune = Paranoid Harmony
Microsoft Defender for Business adds endpoint security:
- Antivirus
- BitLocker encryption
- Firewall
- Attack Surface Reduction
Setup:
1. Enable Defender in M365 Admin
2. In Intune, go to Endpoint Security > Defender for Endpoint
3. Sync + onboard devices automatically
Antivirus Policy Example
- Go to Endpoint Security > Antivirus > Create Policy
- Choose platform: Windows
- Configure settings (e.g., archive scanning, cloud protection)
- Assign to a device group
Want less hassle? Use Security Baselines - Microsoft’s pre-baked best practices.
Compliance and Configuration
Compliance Policies
- Define rules (e.g., must have antivirus, BitLocker, no outdated OS)
- Set actions for non-compliance (e.g., email, lockout, retire device)
Configuration Policies
- Control app access, OneDrive sync, feature restrictions
- Use templates or settings catalogue
App Management & Conditional Access
Install Apps via Intune:
- Push Office, LOB apps, even URLs
- Assign to device/user groups
App Protection:
- Encrypt corporate data inside apps
- Block backups to personal clouds
- Enforce PINs, block copy/paste
Conditional Access (via Entra):
- Enforce rules: Only compliant devices get in
- Example: No app protection = no access to Teams
Final Word
Intune isn’t just MDM. It’s the bouncer, bartender, and manager for every device touching your business data. Set it up once, and sleep better knowing your CFO isn’t opening spreadsheets next to Instagram.
Next up: Policies that enforce themselves. Stay tuned.