Powerful Microsoft Intune Planning Guide for Successful Deployment
Moving to or adopting Microsoft Intune can transform your organization's endpoint management capabilities, but a successful deployment starts with meticulous planning. This guide aims to assist you in intelligently planning your transition to Intune, covering everything from objectives to communication strategies.
Determine Your Objectives
Organizations rely on mobile device management (MDM) and mobile application management (MAM) to secure data and ensure minimal user disruption. Evaluating a solution like Microsoft Intune requires clarity on goals. Here’s how to determine your objectives:
Access Organizational Apps and Email
Users today expect continuous access to organizational apps and communication tools across all their devices. Intune supports the deployment of various types of apps:
- Microsoft 365 apps
- Win32 apps
- Line-of-business (LOB) apps
- Custom apps
- Built-in and store apps
Task: Make a list of the apps your users regularly use.
Consider which apps your users need. Deploying Office apps, for example, might differ between device types:
- Sales teams might need Teams, Excel, and SharePoint on their mobile devices.
- Office workers might use the full suite of Microsoft 365 apps on their PCs and tablets.
Assess how you want to manage access to organizational apps on personal devices versus company-owned devices.
Secure Access on All Devices
Data security on mobile devices is crucial. Intune offers multiple layers of security through integration with Microsoft Defender for Endpoint and various Mobile Threat Defense (MTD) partners.
Task: Determine how you want to secure your devices.
Implementing policies for:
- Antivirus and malware protection
- Conditional Access to limit access on compromised devices
- Update management for devices, OS, and apps
You can also leverage certificates for password-less authentication and multi-factor authentication (MFA). Consider using Zero Trust setups to fortify security, utilizing Microsoft Entra ID and Intune.
Distribute IT
Some organizations need distributed IT management to delegate control over different locations or departments. Intune facilitates this through several features:
Task: Determine how you want to distribute your rules and settings.
Utilize Scope tags and dynamic groups to manage policies specifically for locations or roles, and set up device enrollment categories to streamline policy distribution.
Keep Organization Data Inside the Organization
Data should always be protected from accidental loss or mismanagement. Intune allows you to create comprehensive plans for different scenarios, such as lost devices or user departures.
Task: Create a plan to cover various scenarios.
Options include remote wipe, retire policies, app-level selective wipes, and configuration profiles to control data sharing on both managed and personal devices.
Inventory Your Devices
Supported Platforms
Intune supports a wide range of platforms, from Windows desktops to mobile devices running on iOS, Android, and more.
Task: Upgrade or replace older devices.
Old, unsupported devices pose a security risk and may be incompatible with modern management policies. Evaluate these devices and plan upgrades.
Personal Devices vs. Organization-owned Devices
Organizations must decide how to handle personal devices (BYOD) versus organization-owned devices. Each has its strategies and benefits.
Task: Determine how you want to handle personal devices.
Options include allowing selective organizational app access with app protection policies or requiring full device enrollment.
Determine Costs and Licensing
Managing devices involves a relationship with several services. Intune licensing needs should be considered in conjunction with other requirements like Microsoft Entra ID or Microsoft Defender for Endpoint.
Task: Determine the licensed services your organization needs.
Factors include whether you need just basic policies or you have comprehensive needs involving endpoint security and data protection across various platforms.
Review Existing Policies and Infrastructure
Many organizations have entrenched policies that have been maintained for years. Now is the time to re-evaluate these with the goal of modern cloud solutions.
Look at Tasks You Run On-Premises
Task: Identify services that could move to the cloud.
Research the services currently running on-premises and assess their goals and relevance in a modern Intune deployment.
Review Current Policies and Their Structure
Understanding the hierarchy and intent of your current policies is crucial.
Be prepared to create new policies within Intune that leverage modern cloud functionalities. Options:
- Security baselines for Windows 10/11
- Administrative templates (ADMX) for detailed settings control
- Group policy analytics for importing GPOs to Intune
Create a structured baseline for essential policies covering email security, device settings, and app management.
Create a Rollout Plan
Planning how and when users' devices receive policies is essential for a smooth rollout.
Task: Create a plan to roll out your policies.
Break down the rollout into manageable phases:
- Start with a limited pilot.
- Expand to more users within targeted groups.
- Execute a full production rollout in phases by departments, geographies, or device platforms.
Include specific enrollment methods, aligning them with each rollout phase for streamlined adoption.
Rollout Example:
| Rollout Phase | July | August | September | October |
|---|---|---|---|---|
| Limited Pilot | IT (50 users) | |||
| Expanded Pilot | IT (200 users), IT Executives (10 users) | |||
| Production rollout phase 1 | Sales and Marketing (2000 users) | |||
| Production rollout phase 2 | Retail (1000 users) | |||
| Production rollout phase 3 | HR (50 users), Finance (40 users), Executives (30 users) |
Communicate Changes
Change management relies on clear communication. Informing users about upcoming changes ensures smoother transitions.
Task: Develop a comprehensive communication plan.
Stages include:
- Kickoff phase: Broad introduction to Intune.
- Pre-enrollment phase: Detailed information about services, timelines, and resources.
- Enrollment phase: Instructions and support information.
- Post-enrollment phase: More resources and feedback collection.
Use methods such as emails, meetings, flyers, and social media for communication.
Example Communication Plan:
| Communication Plan | July | August | September | October |
|---|---|---|---|---|
| Kickoff meeting | First week | |||
| Pre-rollout Email 1 | IT | Sales and Marketing | Retail | HR, Finance, Executives |
| Pre-rollout Email 2 | Second week | Second week | Second week | Second week |
| Enrollment email | Third week | Third week | Third week | Third week |
| Post-enrollment email | Fourth week | Fourth week | Fourth week | Fourth week |
Support Help Desk and End Users
Involve your IT support and helpdesk teams early in the planning stages to familiarize them with Intune, ensuring they’re well-prepared to support end users.
Task: Train your support teams.
Establish comprehensive training and update them on common issues and resolutions. Include all tiers of support in early rollouts to document issues and adjust strategies.
Example Help Desk Workflow:
- End user contacts IT support tier 1 for an issue.
- If unresolved, tier 1 escalates to tier 2.
- Tier 2 investigates, escalating unresolved issues to tier 3.
- Tier 3 resolves and communicates the fix to tier 2 and tier 1.
- Tier 1 communicates the resolution to the end user.
Regular meetings and documentation of issues ensure quick identification and resolution patterns.
Conclusion
Careful planning and structured implementation can make your Microsoft Intune deployment or migration successful. Use this guide to identify objectives, assess devices, manage costs, plan rollouts, train support teams, and communicate effectively.
For more details on setting up or moving to Microsoft Intune, visit the official Microsoft Intune documentation.
By following this guide, you are well on your way to a smooth and effective transition or deployment of Microsoft Intune as your unified endpoint management solution.