What is Azure MDM and Its Key Features

Azure MDM is a cloud-based service that provides a comprehensive platform for managing mobile devices and applications. It's a game-changer for businesses that need to secure and manage their mobile fleet.

Azure MDM offers a range of key features that make it an attractive solution for organizations. These include device enrollment, which allows users to enroll their devices with Azure MDM with just a few clicks.

Device management is a core feature of Azure MDM, enabling administrators to remotely manage and monitor devices, including enforcing security policies and deploying apps. This helps to ensure that devices are secure and compliant with organizational policies.

Azure MDM also provides a range of reporting and analytics tools, allowing administrators to track device usage and identify potential security risks. This helps to inform business decisions and improve overall security posture.

Readers also liked: Azure Mdm

Azure MDM, or Mobile Device Management, is a cloud-based solution that helps organizations manage and secure their mobile devices. It's a key component of Azure AD, which is why we're discussing it here.

Azure MDM is designed for cloud-first and cloud-only organizations, but it can also be used in hybrid environments. This flexibility makes it a great option for businesses of all sizes and industries.

Azure MDM allows organizations to manage devices that are joined to Azure AD, which requires an organizational account to sign in to the device. This means that users can access both cloud and on-premises apps and resources with ease.

Azure MDM is suitable for both cloud-only and hybrid organizations, and it's applicable to all users in an organization. This makes it a great option for companies with a diverse range of users and devices.

Here are the key characteristics of Azure MDM:

By using Azure MDM, organizations can take advantage of a range of benefits, including improved security, better device management, and increased productivity.

You can manage devices using either mobile device management (MDM) or mobile application management (MAM).

MDM allows you to push apps on devices, restrict devices to a specific operating system, and block personal devices.

If a device is lost or stolen, you can remove all data from the device using MDM.

Users can use their personal devices to access organizational resources with MAM.

MAM enables you to remove all organization data from Intune managed applications if a device is lost or stolen.

You can use a combination of MDM and MAM together for a more comprehensive solution.

Additional reading: Azure Data Studio Connect to Azure Sql

Conditional Access and Security is a crucial aspect of Azure MDM. Implementing Zero Trust requires Azure AD Conditional Access (CA), which is included in Azure AD Premium P1.

With CA, we can allow or deny access based on the device information, such as requiring the device to be managed. Managed devices are devices that are either Hybrid Joined or marked as compliant.

Here are the requirements for marking a device as compliant:

Intune plays a crucial role in enhancing security and compliance across the organization by enforcing security policies, monitoring device compliance, and responding to security incidents in real time.

Conditional Access is a crucial feature for protecting your organization's data from cyber attacks and leaks. It's based on the devices used to access that data, and it's a key component of implementing Zero Trust.

To enable Conditional Access, you need to ensure that devices are either Hybrid Azure AD Joined or compliant. This is where Intune comes in – it's used to mark devices as compliant for Azure AD Joined devices. For Hybrid AAD Joined devices, the device itself evaluates the Conditional Access.

Here are the key requirements for device compliance:

Conditional Access can also be used to require devices to be managed. Managed devices are either Hybrid Joined or marked as compliant. This is where Configuration Manager and/or GPOs come in – they're used to manage Hybrid Joined devices. Other devices can be marked compliant by Mobile Device Management (MDM) systems, such as Intune.

Intune plays a crucial role in enhancing security and compliance across the organization. By enforcing security policies, monitoring device compliance, and responding to security incidents in real time, Intune helps organizations protect corporate assets, mitigate risks, and demonstrate adherence to regulatory requirements and industry standards.

Check this out: What Is Azure Used for

Authentication Criteria is a crucial aspect of Conditional Access and Security. Authentication in Azure AD Joined is done using a corporate id or credentials that exist in Azure AD.

In this case, the user's own id or personal cloud id is used for authentication. This is a fundamental difference from authenticating to corporate resources, which uses the user's AAD id.

AAD is the only way to authenticate Azure AD Joined. This means that users must have a corporate id or credentials in Azure AD to access corporate resources securely.

Hybrid join requires a device object to exist in Azure AD. This object can be created in two ways: by creating a device object in Azure AD or by syncing a device object from on-prem AD.

To register a device, you need to obtain an access token and provide "Register" as the join type. This can be done using the AADInternals version v0.4.6 or later.

Here are the steps to register a device:

Note that devices are a crucial part of Microsoft's Zero Trust concept.

Cloud attach for on-premises Configuration Manager is a game-changer for organizations that want to leverage the benefits of the cloud.

By cloud-attaching your on-premises Configuration Manager to Microsoft Intune, you can access features like conditional access and remote actions.

With cloud-attachment, you can use Windows Autopilot, which streamlines the device deployment process and reduces the need for manual intervention.

You can expect to get the best of both worlds – the security and control of on-premises Configuration Manager and the scalability and flexibility of the cloud.

Azure AD Joined offers many benefits, making it a great choice for organizations. It's suitable for both cloud-only and hybrid organizations, and can be applied to all users in an organization.

One of the key advantages of Azure AD Joined is that it's easy to implement, requiring only organizational account sign-in to the device. This makes it a great option for organizations of all sizes and industries.

On a similar theme: Azure Auth Json Website Azure Ad Authentication

Azure AD Joined devices are owned by the organization, which means they can be managed and controlled centrally. This provides an additional layer of security and control over company data.

Here are some key features of Azure AD Joined:

In a hybrid environment, Azure AD Joined enables access to both cloud and on-premises apps and resources. This makes it an ideal choice for organizations that need to balance cloud and on-premises infrastructure.

Hybrid joining is a process that allows devices to be connected to both on-premises Active Directory and Azure Active Directory. It's a great option for organizations that want to manage their devices in a hybrid environment.

To start the hybrid joining process, you'll need to create a device object in on-prem AD, sync it to Azure AD, and then hybrid join it. This can be done using a script that creates a computer object in on-prem AD, generates a self-signed certificate, and sets the public key of the certificate to the userCertificate attribute of the computer object.

The script output shows that the generated certificate is also exported to a file, which is useful for future reference.

After the sync, the device appears in Azure AD, and you can then continue the script to hybrid join the device. This involves getting the tenant ID and using the generated certificate to join the device to Azure AD.

One of the key benefits of hybrid joining is that it allows devices to be managed in a hybrid environment, where some devices are on-premises and others are in the cloud. This is particularly useful for organizations that have a mix of cloud and on-premises resources.

Here are the different types of join options available:

In terms of device management, hybrid joining allows devices to be managed in a hybrid environment, where some devices are on-premises and others are in the cloud. This is particularly useful for organizations that have a mix of cloud and on-premises resources.

Azure AD Joined devices offer a fair share of advantages, but they might not be the best option for everyone.

The Azure AD Registered method, on the other hand, has a wider accessibility capacity.

Azure AD Registered devices are a better option than Azure AD Joined devices in terms of accessibility.

The method you choose depends largely on your organizational requirements.

You might find that Azure AD Registered devices are more suitable for your needs, especially if you need to support a wider range of devices.

Azure AD Joined devices are still a good choice if you need to enforce strict security policies.

Registering devices to Azure AD is a crucial step in the hybrid join process. You can register a device using the Azure AD portal or through the AADInternals tool, which supports registration in version v0.4.6 and later.

To register a device, you'll need to obtain an access token and provide the Register as JoinType. This involves a series of steps, including generating a device key and transport key, requesting an access token, and enrolling the device.

Here's a high-level overview of the registration process:

The registration process involves a POST request to the "https[:]//enterpriseregistration.windows.net/EnrollmentServer/device/?api-version=1.0" endpoint, which includes the device key, transport key, and other relevant information.

In the Azure AD portal, you can see the different join types, including Registered devices, which have a join type of 4. This indicates that the device has been registered to Azure AD.

Microsoft Intune is a cloud-based Unified Endpoint Management (UEM) solution that helps organizations manage and secure their devices, applications, and data from a single, centralized platform. It's designed to support modern device management strategies and offers a comprehensive set of features and functionalities.

Intune provides IT administrators with the tools they need to efficiently manage a diverse range of endpoints, including PCs, mobile devices, and IoT devices, across various operating systems. With its user-centric approach, seamless integration with Microsoft 365 services, and emphasis on simplicity and automation, Intune empowers organizations to adopt contemporary work practices while ensuring data security and compliance across all endpoints.

Recommended read: Azure Data Studio vs Azure Data Explorer

Some of the key features of Intune include cloud-based UEM to control features and settings, isolation of corporate data for certain apps, and the Intune admin center offering status updates and alerts as well as device configuration and other administrative settings. It also offers connectors for Active Directory and certificate-based authentication for endpoints, ADMX templates to deploy Windows policies, and integration with Entra, Windows (Win32) LoB apps, and other Microsoft-centric services.

Here are some of the key benefits of using Intune:

Intune also offers a range of reporting capabilities, including reporting on apps, device compliance, operations, security, and users. Additionally, it provides device-only subscriptions for single-use devices such as kiosks and remote support is available as a premium add-on to Intune, even with an M365 E5 license.

Patching and software management are crucial aspects of Azure MDM. JumpCloud offers cross-OS patching, supporting the patching of leading browsers in a unified interface. This allows admins to fully manage Chrome by enrolling in Chrome Browser Cloud Management.

JumpCloud's patching capabilities are more comprehensive than Intune's, which has disparate offerings for OS and browser patching. Windows AutoPatch is an Intune feature that's only available for Windows and requires Windows Enterprise E3 licensing.

For software management, JumpCloud features software management for Android, Apple, and Windows using Chocolatey. This includes a private repository, which will be available soon, allowing admins to upload, deploy, and update private Windows and macOS apps.

Intune's Mobile Application Management (MAM) configures, monitors, pushes, secures, and updates mobile apps, including "Intune Protected Apps" like MS Office. However, customers have reported that Intune's software deployment and polling works on Microsoft's schedule, creating management unknowns.

On a similar theme: Azure My Apps

Patching is a crucial aspect of software management. It's essential to keep your systems up to date to prevent security vulnerabilities and ensure smooth operations.

JumpCloud offers cross-OS patching and supports the patching of leading browsers in a unified interface. Admins can manage Chrome by enrolling in Chrome Browser Cloud Management.

Intune has separate offerings for OS and browser patching, with unique technical quirks. This can make it harder to manage updates across different platforms.

Windows AutoPatch is an Intune feature that only works for Windows and requires Windows Enterprise E3 licensing. It uses Windows Update for Business to manage updates.

You can also designate an update band for Windows under the Endpoint Security interface blade in Intune. This allows for more granular control over updates.

Azure Update Center is a preview feature that's intended to become a unified service for managing updates. It's not clear if it's an add-on for Intune or an included feature.

Discover more: Azure Windows

Software management is a crucial aspect of patching and maintaining your organization's devices. JumpCloud offers software management for Android, Apple, and Windows, including Chocolatey for Windows, with a private repository available soon.

Files uploaded to JumpCloud are scanned for integrity and controlled versioning is used, ensuring that only authorized versions of apps are deployed. File size limits have been removed for custom macOS apps, giving you more flexibility.

Intune's Mobile Application Management (MAM) configures, monitors, pushes, secures, and updates mobile apps, including "Intune Protected Apps" like MS Office that secure corporate data. The Windows interface under "apps" allows you to assign apps to groups of devices.

Extended fee-based storage is available if needed, giving you more storage options for your custom apps. Intune's inventory and "discover" features allow you to track apps on registered Windows endpoints.

Here's a comparison of the software management features of JumpCloud and Intune:

JumpCloud's software management features are designed for seamless deployment and management of apps, while Intune's MAM features are geared towards enterprise deployments.