Mobile device management capabilities in Microsoft Intune
Updated: August 7, 2015
Applies To: Microsoft Intune
Intune supports mobile device management of iOS, Android, and Windows Phone devices. It also supports management of Windows RT and Window computers as mobile devices. Users use a company portal to install apps, enroll and remove devices, and helps them contact their IT department or helpdesk. To enroll mobile devices you must set Intune as your mobile device authority and then configure the infrastructure to support the platforms you want to managed. This requires establishing a trust relationship with the device.
The requirements to manage a mobile device and the level of management you have depend on whether you manage the device directly or use Exchange ActiveSync:
Direct management: Different types of mobile devices have different requirements for direct management. For example, to manage iOS devices you need an Apple Push Notification service certificate, and to manage apps for a Windows RT 8.1 device, you need sideloading keys and a code-signing certificate. Intune can manage the following devices with mobile device management:
Apple iOS 6.0 and later
New devices must be running iOS version 7.1 or later in order to enroll in Intune. Enrolled iOS 6.0 devices remain enrolled, but iOS 7.1 features are not supported.
Google Android 4.0 and later (includes Samsung KNOX)
Windows Phone 8.0 and later
Windows RT and Windows 8.1 RT
Windows 8.1 and later computers (managed as mobile devices; see Computer management capabilities in Microsoft Intune)
Before you can directly manage mobile devices you must Set mobile device management authority as Microsoft Intune.
Exchange ActiveSync: To manage devices by using Exchange ActiveSync requires you to install the On-Premises Connector or use the built-in Service to Service Connector to connect to your Exchange Server.
To learn about the hardware and software requirements to install the On-Premises Connector, see Requirements for the On-Premises Connector.
To learn about using the On-Premises Connector or Service to Service Connector with Exchange, see Mobile device management with Exchange ActiveSync and Microsoft Intune.
Intune supports mobile device management of iOS, Android, and Windows Phone devices. It also supports management of Windows RT and Window computers as mobile devices. Intune can manage users' devices, popularly known as "bring your own device" (BYOD). It can also manage company-owned devices including scenarios where the company provides a list of devices users may choose from, known as "choose your own device" (CYOD).
You can enroll devices meets your organization's needs:
Shared device with manager account
Shared device without a user account
Personal device enrolled using Microsoft Intune
Corporate-owned device for single user
Corporate-owned device managed using a manager account shared by many users
Corporate-owned user-less device used by many users.
No user-specific account
No specific user
Owner or administrator
Who can reset
Owner or administrator
To enroll mobile devices you must set Intune as your mobile device authority and then configure the infrastructure to support the platforms you want to managed. This requires establishing a trust relationship with the device.
Management, inventory, app deployment, provisioning, and retirement are all handled through the Intune administration console. Users gain access to the company portal which allows them to install apps, enroll and remove devices, and helps them contact their IT department or helpdesk.
Mobile device management (MDM) capabilities differ across mobile device platforms but all platforms support the following:
Certificate, email, VPN and Wifi profiles. You can deploy certificate profiles to mobile devices, and also deploy e-mail, VPN and Wifi profiles. See Enable access to company resources with Microsoft Intune.
Manage corporate-owned iOS devices. You can set up devices for enrollment and then distribute them to specific users, or you can enroll devices so that they can be shared by multiple users. See Set up iOS management with Microsoft Intune.
Mobile application management. Managed mobile apps can be configured to restrict certain app operations, such as copy and paste, to help protect your organization’s data. You can also use the managed browser to control the sites that users are allowed to visit. See Protect data using mobile application management policies with Microsoft Intune and Manage Internet access using managed browser policies with Microsoft Intune.
Conditional access. Use Intune conditional access policies to control access to on-premises Microsoft Exchange email from mobile devices, even when the device is not managed by Intune. See Manage access to email and SharePoint with Microsoft Intune.
Passwords management differs across mobile device platforms, but all platforms let you require a password, limit the number of failed attempts, limit the minutes before the screen locks, set password expiration, and prevent previously-used passwords.
Application settings. You can control browser settings, and also such application settings as whether app stores can be used on mobile devices.
Device capabilities, cellular and voice. You can allow or deny the use of a camera, control roaming settings, and enable or disable iOS voice assistant and voice dialing features.
Reset passcodes, lock, selectively wipe or retire devices. You can reset passcodes if users lose access to their device, lock missing or stolen devices, or even wipe data off of missing or stolen devices.
Mobile device configuration policies let you manage many settings and features on mobile devices in your organization.
Use custom polices when configuration policies do not contain the setting you require. For iOS devices, you can import settings you exported from the Apple Configurator Tool. For other devices, you can use OMA-URI settings to configure settings and features on the device.
Remote Wipe, Remote Lock, and Passcode Reset
Erase sensitive data when a device is lost or stolen. For example, you can remotely lock the device, restore it to factory settings, or wipe only corporate data.
Lets you lock down certain features of mobile devices such as screen capture and the power switch. Also lets you restrict devices to run a single app that you specify.
App deployment and management
Provides a range of tools to help you manage mobile apps through their lifecycle, including app deployment from installation files and app stores, detailed monitoring of app status, and app removal.
Compliant and noncompliant apps
Lets you specify lists of compliant apps (that users are allowed to install) and noncompliant apps (which must not be installed by users).
Mobile application management
Configure restrictions for apps by using a mobile application management policy. This helps you to increase the security of your company data by restricting operations such as copy and paste, external backup of data and the transfer of data between apps.
After you deploy the managed browser to your users, you can configure a managed browser policy to control the websites that they can visit. In addition, you can also apply mobile application management policies to the managed browser.
Create and deploy trusted certificate profiles and Simple Certificate Enrollment Protocol (SCEP) certificates which can be used to help secure and authenticate Wi-Fi, VPN, and email profiles.
Deploy wireless network settings to your users. By deploying these settings, you minimize the end-user effort required to connect to the corporate network.
Create and deploy email settings to devices. This lets users access corporate email on their personal devices without any required setup on their part.
Deploy VPN settings to users and devices in your organization. By deploying these settings, you minimize the end-user effort required to connect to resources on the company network.
Conditional access policies
Manage access to Microsoft Exchange email and SharePoint Online from devices that are not managed by Intune.
Inventory and reporting
Find information about the devices you manage and the software they are using.
You can filter these reports in a number of ways, such as the device platform, and whether the device is compliant with corporate standards.
Overview of Microsoft Intune and core concepts
Set up device enrollment in Microsoft Intune
Manage mobile devices and PCs from the cloud
Bring your own device (BYOD) design considerations guide
Sign up for a free trial
How to buy Intune
Get started with Microsoft Intune
Microsoft Intune Service Description
Microsoft Intune evaluation guide