A roadmap to Modern Endpoint Management
Since the advent of Covid-19, organisations have had to rethink the way their employees work. Increasingly, working remotely is how businesses keep their doors open, but what challenges does that present? Specifically, have you been wondering how to manage endpoints now that more employees are working from home?
The workplace is constantly evolving, and to meet its changing needs, organisations need improved collaboration and a more agile approach to control. There is also a desire for a cloud-first focus, as well as increased automation provided by simplified, integrated solutions.
What this comes down to is finding a modern way to manage endpoints, i.e., on a remote basis instead of exclusively on-premises. This is not something that will happen overnight - the journey to modern endpoint management could take a number of years for larger environments.
Configuration Manager vs Intune-what's the difference?
In a nutshell-one is on-premises and the other is cloud-based. Microsoft's Endpoint Configuration Manager (MECM - originally known as System Center Configuration Manager or SCCM) and Intune might seem similar when it comes to delivering software updates, but the reality is that they are quite different to administer, and they serve different target scenarios.
Configuration Manager Overview
Along with Intune, this tool is now a part of the Microsoft Endpoint Manager (MEM) suite following the recent rebranding. Since 1994, it has been the gold standard to manage workstations and servers, primarily used for deploying applications, software updates, and operating systems.
This is the cloud variant of Configuration Manager and because it's cloud-based, it doesn't need to be on-premises to operate. It's Configuration Manager’s mobile device and application management counterpart, delivering configuration, applications and updates to devices. One of the benefits of this is that it belongs to the Microsoft ecosystem and natively supports Azure Active Directory and Conditional Access technologies.
Why make the move from Configuration Manager to Intune?
Intune was released in 2011, so it isn’t that new, but for many organisations, the feature parity has prevented it from becoming a real contender, as policies and configuration done via traditional management were missing. However, in recent times Intune has caught up. Intune is continuing to evolve – for example:
- Quarterly releases and updates mean it’s rapidly improving
- Devices just need to be connected to the internet to manage, a necessity with the rapid mobilization of the workforce
- Intune can easily deploy computers or wipe and re-provision as part of the endpoint lifecycle
- It removes the manual process of conducting bare-metal deployments in Configuration Manager
- It makes the device lifecycle more efficient because devices can quickly be wiped and provisioned ready for the next user
- No maintenance of the platform compared to Configuration Manager requiring patching and agent updates
If your organisation wants to achieve modern endpoint management moving from Configuration Manager to Intune, what would the roadmap look like? Let's break it down into stages.
A roadmap to Modern Endpoint Management from Configuration Manager to Intune
Stage 1 - The starting point: Configuration Manager
If you're reading this, it's probably because you’re currently utilizing Configuration Manager for endpoint management. This is the traditional method of managing endpoints and deploying traditional Standard Operating Environment (SOE) on-premises. Achieving a corporate bespoke image ready for deployment is costly in terms of time and effort. On the flip side, once provisioned, the image can be swiftly deployed to many endpoints. These devices need to be on-premises or patched into the corporate network.
You'll likely be using Configuration Manager for:
- Hardware and software inventory management
- Compliance baselines and remediation to check for issues, alert on them and remediate if necessary
- Application and software update deployment
- Complex configuration required to reach internet-based devices (using CMG and Cloud Distribution Points)
The upshot is that Configuration Manager is resource hungry and can be time-consuming for your BAU staff to configure and maintain.
Stage 2 - The steppingstone: Co-Management
The first milestone in the move to Intune is to push updates and apps, while workloads that are more difficult to move to a cloud environment stay on Configuration Manager. What you're doing is combining the power of your existing Configuration Manager infrastructure by attaching it to Intune to gain instant cloud value. Most organisations won't face any additional costs when adopting this hybrid approach, and they'll experience an immediate benefit from remote actions such as device sync, restart and factory reset. Not only that, but you'll benefit from additional cloud-based capabilities like conditional access without further infrastructure changes.
The two fundamental steps include:
- Cloud attach Configuration Manager to Intune
- Cloud console through Endpoint Manager
- No additional cost
- Helps in Helpdesk scenario
- No infrastructure changes needed
- Centralised visibility of device health on MEM console
- Client Attach through co-management
- Modern Provisioning through Autopilot
- Conditional Access
- Management anywhere
The goal is to enrol your Configuration Manager devices into Intune for additional cloud value so that when you're ready, you can migrate the remaining workloads to Intune.
Stage 3 - The end goal: Intune
With Intune operational for endpoint management, you'll experience comprehensive provisioning and management of the endpoint device lifecycle from procurement, deployment, and retirement, including the following features:
- Out of the box (OOBE) provisioning – Autopilot for Windows devices, Apple ADE, Android Enterprise ZTD, Samsung KME
- Win32 app management
- Configuration profiles to replace traditional GPO
- Bit-locker Management
- Hardware and software inventory
- Update management
- Unified Endpoint Management – Windows, iOS, macOS, Android
- Risk-based access control – Compliance, Conditional Access
- Advanced threat and security – Windows Hello, Device Health Attestation, Defender for Endpoint, Secure Score
- Telemetry driven policy – Security Baselines, Guided Deployments
- Application management
- Integrated with M365 stack – Analytics, Graph, RBAC, Audit
Intune enables flexible workplaces as it doesn't require on-premises IT infrastructure to operate. It significantly reduces the time and effort IT admins need to manage desktop and mobile work environments. Intune is the new way of thinking for modern endpoint management - a much-needed solution for the world's new normal.
Stay tuned for a future blog on how to use Intune to manage remote work environments. If you’re interested in embarking on this roadmap, Inde may be able to help get Microsoft funding for your organisation.