Tuesday, May 27, 2014

Windows Intune v5 implementation experiences

Last week I did a proof of concept on Windows Intune v5 (5.0.2000.0) at customer location. During implementation I did the following experiences on functionality. Pity that Intune still is missing enterprise-ready functionality, but that will be better end of year. Have a look at the Intune roadmap for that. Let's have a look at the implementation experiences. It's not all bad :)
  • Enrollment and retirement on Windows, Windows Phone, iOS and Android all goes fine (almost realtime), but sometimes retirement takes a lot of time. Microsoft is working on that to make it quicker. It can take up to 24 hours or 30 days total at the moment.
  • When you want to have remote wipe functionality on notebooks (or tablets with Windows on it), just make usage of Windows 8.1. That way don't install the Intune agent, but enroll it as a mobile device. Very nice you can have remote wipe on notebooks either!
  • When using Active Directory Federation Services (ADFS) there's single sign-on in place. Without ADFS you must fill-in account details every x minutes all over again. Really annoying if you ask me. Maybe DirSync will be a solution for this also. Does anyone know?
  • Policies cannot be enforced from the Intune console. Sometimes it can take a while before the policy will be applied, even when you want a remote wipe on the device. Hope there will be a force button in a later release. When synchronize from the mobile device, policy is refreshed immediately. Strange, because you want to force a full wipe quick if your device is missing or stolen.
  • Application blacklisting/whitelisting isn't available yet. You can set a deny on the app store (iOS 6+, Windows Phone 8.1) but there's no option to decide which apps may (not) be installed. This is on the roadmap for Q4 this year. Should be great if you can publish apps and app-links, without the need/permission to use the app store.
  • Applications can be deployed optional only for users, no way to enforce the deployment. When IT support want to pre-config devices, you want bulk-enrollment for apps and policies, without to fill-in credentials on the app store (Microsoft, Apple, Google). This is on the roadmap for Q4 this year either. Fingers crossed :)
  • The user stays in control of the device, and has the possibility to remove the Intune agent also. That way you're not in control of all devices anymore. Should be better if you can deny this I think? It depends if devices are personally or company owned. It would be great if you get an alert on this, that way you know if devices are missing.
I still think Windows Intune is (too) light in functionality, when Intune must be the successor of ConfigMgr, there's missing a lot. But..

Later this year there will be bulk enrollment, application blacklisting/ whitelisting, remote lock, secure mail, secure browser, Exchange and OneDrive for business, managed Office apps, app wrapper for iOS and Android, and multiple secure viewers.

Given the fact that the ConfigMgr team is same as the Intune team (and most resources are on Intune, because Microsoft still has a lot of catching up to do, and ConfigMgr is in a finished, almost perfect state), there will fast development on Intune for the next months.

Let's say it again: The future looks bright for Windows Intune!

No comments:

Post a Comment