The Enterprise Mobility Roundup

Lessons Learned from Deploying Microsoft Intune, with Guest Brian Grant - Atea

BlueFletch Season 3 Episode 258

Share episode

Ready to unlock the secrets of seamless mobile device management with Microsoft Intune? This episode of the Enterprise Mobility Roundup features Brian Grant, solution architect at Atea, and Patrick McGlynn, BlueFletch lead system engineer, sharing invaluable lessons from their hands-on experience with Intune deployments. We explore why organizations are increasingly gravitating towards Intune, highlighting its cost benefits and advanced features that provide a unified endpoint management approach for both mobile and Windows devices. Brian also shares insights into the tight integration with other Microsoft services, making Intune an exceptionally appealing choice.

Managing mobile devices across various sectors is no small feat. Brian and Patrick discuss the unique challenges faced when deploying Intune, especially compared to other management tools like SOTI and Workspace ONE. They offer real-world solutions to common hurdles, such as deploying non-Play Store applications on Android devices and navigating the intricacies of organizational changes within Intune. The conversation underscores the importance of modern app deployment practices, driven by customer demands and Google's evolving requirements, to ensure a smooth transition and enhanced device management.

To wrap up, we explore practical tools and techniques that make managing Intune easier. Brian emphasizes the power of Microsoft Graph and APIs for reporting, while highlighting the EBF Onboarder tool for efficient migrations from other MDM systems. We discuss the role of Azure Automation and RBAC features in streamlining administrative tasks, alongside the continuing growth of Intune in Android enterprise management. Whether you're a seasoned IT professional or new to Intune, this episode is packed with actionable insights to optimize your deployment strategy and leverage Intune's robust capabilities fully. Join us for this enlightening conversation and take your device management to the next level!

Speaker 1:

Hey everybody, welcome again to the Enterprise Mobility Roundup podcast. Today we're chatting with Brian Grant, who's a solution architect with Atea, about lessons learned from deploying Intune in the real world. In addition to Brian, we also have Patrick McGlynn, who's one of our lead system engineers, who will be talking through this process with Brian. So, Brian, turning it over to you, what do you do specifically with Atea and what do you focus on there?

Speaker 2:

Yeah, thanks for inviting me. First of all, yeah, brian Grant, solution Architect at Atea, I'm actually located in Sweden. In Sweden we attend as a Nordic company. It's a leading provider of IT infrastructure solutions Over 8,000 employees spread around 88 offices in Sweden, norway, finland, all the Baltic countries like Lithuania, latvia, estonia, etc. So what we do is we provide professional services. We have, like where I'm located, in the digital workplace area and we also have solutions around data center and networking solutions, etc. And networking solutions, et cetera. So my main focus as a solution architect at ITEA is around mobile device management. That's pretty much what I've been doing the last five, six years. Prior to that, I was very much into Windows deployment with SCCM, et cetera. So my focus right now is providing solutions to our customers. We have both public customers. We have private customers in different areas and the last two, three years has been really a lot focused around frontline workers. So that's what I'm going to do.

Speaker 1:

So, Brian, thanks for that, I appreciate it. So I mentioned we're going to be talking about Intune today and a little more framing around that. I think what we'd like to talk about is why you've heard people are moving to Intune, what sort of device types the folks are moving to, what are the role types that you see using Intune and how common is it becoming versus some of the other MDMs you've worked with? So yeah, I think I'd like to hear a little bit more about that.

Speaker 2:

Okay, yeah, Obviously, Microsoft has made a lot of progress in that area, especially a lot of these customers that we have here in the Nordic countries. They are Microsoft heavy, you know, with the licensing and everything. They have the Microsoft 365 license, E3, E5s, F1s, F3s. There are a lot of people they're looking at costs, of course, and a lot of these customers they've already had another MDM, they probably had MobileIron or AirWatch, et cetera. So what's happening now? What we're seeing is that they're looking more to Intune, of course, because you have the features that are provided there pretty much is on par with most of these other providers and some instances actually are ahead of these providers as well, and so what they're looking at is kind of consolidating into one product or to one provider, and that kind of triggers a lot of migrations, so to speak, from a lot of our customers right now.

Speaker 3:

Are you seeing that these customers already were using Intune or Endpoint Manager to manage their workstations and laptops and now they're bringing mobility into that space? Or is this more of a new install, usually with Mobility Plus Intune?

Speaker 2:

Yeah, it's both ways. Actually, what we're seeing is with the mobility part is they already manage their Windows devices. Of course, a lot of these companies and the public sector are getting more aware of the security breaches with the mobile devices. They're kind of looking at how do we manage these devices more efficient, how can we get more control and also provide services that would benefit the end users? I don't know really, it's 50-50. Some of them already have, of course. They've managed their Windows devices.

Speaker 2:

They want to manage their mobile devices and they're seeing why we use three, four tools to manage the same. We can have everything in one, like the unified endpoint management. That's what they're kind of striving towards. So mobile devices is basically what they're getting more into. That I think they're seeing the benefits of having managing devices right now. They're seeing the benefits of having managing devices right now and especially in the different spaces of the frontline workers. That's kind of triggered a lot. That's why I've been having some contact with you guys looking at different solutions that probably Intune might not be able to provide fully and the mobile device management solutions can't even they can't even provide that. So I think Bluefletch is one really good tool, together with Intune as well. Nice.

Speaker 3:

So I know you mentioned some. Cost savings is a big reason people are jumping to Intune. Cost savings is a big reason people are jumping to Intune. What are the other perceived benefits or advantages that you see customers being able to take advantage of when they jump to Intune? Are there other things that are drawing people or other features that, out of the box with Intune, you think are nice to have out?

Speaker 2:

of the box or then to you think are nice to have, I think, since the Elk Team has a wide range of the possibility to manage different platforms, that rouse their intention for us. Lately, as you probably heard about previously with managing Macs, microsoft have been like okay, just use Jamf or whatever if you want to have more advanced management. But the customers have actually been requesting Microsoft. You have to step up here Now. You have to do something about this. We want to have Intune to manage it. We can't have like two or three different tools. So I think that's something that kind of has made it bigger or more requested. Made it bigger or more requested.

Speaker 3:

I think, the other thing that I'm hearing is just the tighter integration with Microsoft, as you called out. I already have the licensings, but if you're using Microsoft apps or conditional access policies or ID, there is tighter integration there.

Speaker 2:

Yeah, it's all the security thing, All the security solutions with Entra. You have Azure, you have everything integrated into Entra. Id Benefits of, as you said, conditional access is one big thing, of course, and what Microsoft has been doing with the shared device mode part is also a big thing that they have integration with SimSign on for their shared devices. So you can see, on the Apple devices you have the iOS, you have the macOS as well. I think they're pretty much on par with all the other providers. That's what we're seeing right now and a lot of these customers are asking for. You know, can you help us get started with Intune?

Speaker 1:

That brings up an interesting question. So you mentioned that a lot of the reason you're seeing customers, at least initially, move to Intune is because of the perceived cost savings and because of just the systemic integration and the decisions are being made maybe more at a fiscal level than necessarily a practical day-to-day on the ground administrative level. How are you coaching your customers when they're making that move, say from another MDM to Intune? Is there a playbook you run through with what to expect when you're moving, or is there a framework that you use like a common questions that you know they're going to be asking, that you have to be prepared for? I'm just curious from the perspective of, as they're making that move, what do they need to think about?

Speaker 2:

Yeah, we that kind of depends because we have such a range of different kinds of customers you know, if you go to the public sector, range of different kind of customers. You know, if you go to the public sector, they have kind of different challenges. So it all depends on what kind of tool it is they're using today and where they're going and what advanced level they are on. Because some of these customers are they're managing their devices on a very basic level and we're seeing, you know, we can tell them straight away. You know, if you're just going to do one-on-one, it's no problem with Intune, you can do that, no problem. But you can add these benefits if you go to Intune as well, if you have, you know, with the conditional access part, and there you go, wow, okay, so we can get this and that, and that's that's something where I think when we have these discussions, it's that's where they kind of get a little bit excited. They're excited, of course, and uh, to see that they're actually getting some more value from having those tools.

Speaker 2:

But of course there's the other way around. We have customers that are saying, okay, but we want to have these specific features, because if we don't have these, it's going to be very hard for us in the scenarios that we have or the use cases. So I think we're going to stick with SODI on these use cases, but let's go to Intune on the other use cases and we'll see what happens in the future with Intune, if it's going to develop a little bit more into that direction that we can actually meet up, going to develop a little bit more into that direction that we can actually meet up. So, um, uh, yeah, I think it depends on which the consultant that is actually delivering this as well, um, and where the team that that is delivering it.

Speaker 1:

uh, depending on know who it is, okay, yeah, no, that makes sense. So with a let's say, let's take a private customer, for example, would you say there's one question that you know they're always going to ask, or is it? You know, is there a biggest hurdle? I guess, if you had to identify one, for example, you think you hear more than any other.

Speaker 3:

Yeah, so I think from an Android perspective, what I hear most is how can we deploy applications that are not in the Play Store to devices, and I think that's a big shift in the way companies have to think about Android management. Intune is very much aligned with the Android Enterprise standards around pushing things through the Play Store and getting away from the functionality that Sodia and Workspace ONE have done for years with installing APKs and doing that from an agent and pushing files, and it's definitely a shift in thinking of how you deploy software, and I think that's probably the biggest hurdle.

Speaker 3:

There are questions around that I hear, and then I think the other one, brian, you touched on earlier was organization of devices inside of the EMM, workspace One and SOTI have a very good tree structure and folder structure and all these dynamic assignment rules and I found those are pretty easy to use. But Intune, it takes a lot more work to get those groups populating and it's a lot more difficult to view the structure of how your device is segmented. And yeah, brian, I know you talked on that earlier.

Speaker 2:

You might have some more to add no, but that's very true part is probably one of the biggest ones I would say as well when you're saying it, because a lot of these customers are used to, or actually the ones that deliver the apps.

Speaker 2:

They're still in the mode of, you know, delivering APKs. Yep, they don't have them in the Play Store. They're customer specific apps. They don't provide them through the managed Play Store. So that's actually true, that's actually one of the biggest ones. But delivering apps any other way than the managed Play Store is it's not possible really in Intune right now. That's just the reality of it. And because Microsoft has decided, you know, they're going to go with the Google standard 100%, and that's the way it is.

Speaker 1:

So does that mean a customer is stuck at that point? If they have to deploy an application through the Google Play Store but say, for example, their vendor is not able to supply the application that way, what are the workarounds for that? Or they just can't use that application anymore.

Speaker 2:

And the workaround is pretty much that the vendor has to. They really pretty much have to look at the more modern way of using apps and that's the way that Google they want them to go with the Play Store. So they're pretty much forced to go that way because the customer is demanding it, and if the customer is not going to get that from their vendor, they're going to go somewhere else.

Speaker 3:

Yeah, I agree with that, Brian. If a vendor gives you an APK and you try to upload it, it's going to say this APK is blocked because it's already been reserved by namespace.

Speaker 3:

You're not going to be able to do your one-offs, so having to work with vendors probably a little more closely is something that we see with Intune, and then one of the kind of like the fringe benefits of that, though, is that I think it forces people to think in a more, be a little more forward thinking with their Android deployments. It's a big shift, but by you know, stripping away a lot of those tools and adding these constraints, it's forcing people to think differently about device management, and, you know, in a way, I think that might ultimately be a good thing because of all the things Android and Google are doing around Android management and security, and it's definitely work that has to be done, but I think, ultimately, it'll help people get to that better, more modern state sooner but what I've seen here in the nordic countries is that they're, you know, we're pretty advanced in technology and it etc.

Speaker 2:

So it's been a lot of these uh apps that they already have or they're using the. These customers in the private sector, in the public sector, they're already, they're already there in the, in the google play store, so, uh, so most of the times, you know, it's not that often that we kind of get into that kind of a problem or an issue or a challenge. Wouldn't be so to say uh but um, uh, we had one customer that actually is a public sector, that uh had that issue with this uh, you know, a unique app for this specific the public sector uh company. Um but um, they solved that with uh, you know, with the developer. They gave them the, they solved that with the developer, they gave them the delegated rights in their developer portal, in the Google developer portal, and through that it solved itself so they could actually publish that APK that way.

Speaker 2:

So we help customers to find ways of doing things. Well, you know, we help customers to find ways of doing things. So I think it's, as you say, it's a more forward way of working. Today, you know, google wants us obviously to have more control of security definitely, and I think companies and customers are really into that as well, so they don't get an APK that they don't really know what's in there. Yep, yeah.

Speaker 1:

Yeah, absolutely. I know one of the things that is common for these customers that we've seen to do is, to some extent, some file manipulation on the devices, the devices and with Intune. I know that there's some gaps there. How are you, when you encounter those types of questions, what's the best way to handle that, that scenario?

Speaker 2:

well pilot, that we haven't actually touched that much on that, but more of more on the actually firmware. That's been a big challenge. We have a few customers that are using Honeywell devices For doing that. It's not that it's really really super basic in Intune. You can't do any maintenance window thing with those firmware updates. You have to when you do the assignment in the OEM config. You have to do it straight away for the updates, and it's not good. So in those cases then we have to turn to like for Honeywell. They have the what do you call it, operations intelligence. You have to go with that and that's an extra license. So you know, you see there are some challenges with it. I know Zebra, there's a good integration right now with Zebra and Intune, but still they're lacking some stuff regarding the file distribution, firmware updates etc. So that's something that I think they can improve a lot more on.

Speaker 3:

Yeah, I agree with that, Brian. I think especially from a timeliness, being able to deliver those OTA updates or firmware, os upgrades or even application updates. Being able to do that in a timely manner is extremely important for workforce devices because you need to limit that outage time. You need to know a device is going to be operational or a shift or a worker.

Speaker 2:

And Intune does, I think, lack in that area a lot because they are at're used to the way SOTY and they can, due to costs and, as we were talking about before, with licensing costs et cetera. So they're willing to make that sacrifice for a while because they know Microsoft will meet up with better features for that. Reporting is one part that is lacking big time, I think in Intune. But they're picking up there. They know they have it on the roadmap. Reporting is going to get better. That's what I'm seeing at least. It has some improvement to make there definitely.

Speaker 3:

Yeah, I've seen customers have to build a lot of their own custom reporting.

Speaker 2:

Yeah, that's what you need to do.

Speaker 3:

I mean, there's the graph APIs and those are available and have data, but Microsoft doesn't have a great out-of-the-box dashboarding or reporting layer, so it's very much API driven and sort of custom yeah.

Speaker 2:

And I have to have as you called out, brian.

Speaker 3:

That's something that I think they can easily add in the future.

Speaker 2:

Definitely, I think you have to have the developer skills. That's something I'm lacking. I don't have the developers, so I have to rely on my you know my colleagues that are pretty much developers. They can do those API calls and Graph API things with scripts, powershell, whatever. But yeah, they can make a lot more improvement there, definitely for Microsoft's part.

Speaker 1:

So from a resourcing perspective, if you're the customer and you are moving from, say, a Workspace ONE or a SODI over to Intune because what we just alluded to from a reporting perspective and getting everything set up might be a little bit more depth-heavy are customers having to reconsider who previously was doing the MDM side of things. Do they have to round out that staffing at all, or is it just a matter of training? I'm thinking from a resource perspective, if you can service your devices on Intune with basically the same headcount resource mix or if you need to be thinking about what skill sets might not be there.

Speaker 2:

Yeah, that's kind of the difference as well. Most of the time they can use the same resources. It depends on what kind of skills they have. But obviously that's why we're here as consultants, those specialities and all those, um, you know, special cases where they need that extra, uh, extra features or enhanced features and um, but in most times they can, you know, keep the same resources and I've I haven't really seen that they've kind had to, or it was needed to, cut any resources. They could cut any resources, but I think they could go with the same ones. That's pretty much what I've seen.

Speaker 3:

Well, yeah, Brian, you mentioned we talked about you know Graph and running Microsoft Graph and running APIs to build the reporting. Are there any other tools or tricks that you have found that can make life a bit easier with Intune? And I'll just cue up one example that you and I have talked about in the past, there was a company based in, I believe, scandinavia as well, that specialized in migration MDM, migration from one MDM to another and I think it's a company you've worked with in the past, if I'm not mistaken. I'm blanking on their name.

Speaker 3:

Wasn't there a tool to help seamless migration over to Intune?

Speaker 2:

Yeah, I'm trying to remember exactly which one that was. Yeah, I'm trying to remember exactly which one that was.

Speaker 3:

Gosh. Yeah, I forget as well.

Speaker 2:

I know we as Bluefudge have a process that we can help apply I know which Yep.

Speaker 3:

It is really limited to just Zebra devices at this time. I think the tool was EBF Onboarder. Is that right yeah?

Speaker 2:

EBF Onboarder. That's the one. I think it's a German company actually.

Speaker 3:

Oh, okay, it's a German company, sorry.

Speaker 2:

Yeah, no problem. Yeah, that tool is something that we've used some of our customers to do, that migration and they have a good, it's a good way of I think they support, you know, migration from all the major MDM, EMMs today to go to Intune and also actually the other way around, but most of the customers are going towards Intune.

Speaker 3:

Yep, I would say more than half, maybe even 75% of new customers we talk to engage with us because they are moving to Intune and either they have anxiety about it or they have concerns about it or they're looking for enhancements on top of it. And that's where our BlueFletch launcher comes in is just trying to improve that end user's experience on the device. I think of what BlueFletch offers is what users see and touch and feel every day when they're on their device to make that a smooth experience. And then Intune is kind of the guy behind the curtains pulling all the strings and pushing the software.

Speaker 2:

Yeah.

Speaker 3:

Are there other tools, I think, besides what Blue Fletch offers and all of our SSO and device finding stuff that you see as a good fit with Intune?

Speaker 2:

Not at the moment, actually. No, I would say. You remember we were discussing about the possibility to the renaming of AdWord devices. Yep, yep, we have a whole bunch of samples where we're using Azure Automation accounts or an Azure Automation process for script for renaming devices or doing whatever you need to do. That's actually when we're utilizing the Graph API. We had a big customer that we actually did this with. They wanted to have, depending on the location of the devices, they needed to have a naming standard that was connected to those specific sites, and by using the script that we developed together with Azure Automation, we were able to do that. So within an hour, the device was renamed according to the enrollment profile that was used and Intune that was connected to those specific sites. So there are tools that you can use within Microsoft Sphere, as we were talking about with Graph APIs and Dash Automation. I think is a great thing to use as well.

Speaker 3:

Yeah, it sounds like there are resources available. It's just do you have the right skill sets to take advantage in it? Exactly from what we've seen, it's scripting, it's api experience, um, a knowledge of the android enterprise and, yeah, how google is pushing things, and I think you know combination of those tools can allow Intune to work for you in my experience.

Speaker 3:

But it's also not as out of the box, as easy just to click through as like a SOTY or Workspace ONE. And that's just my experience. I know Intune's working on that but I think it takes a bit more experience with that, that ecosystem yeah, I'm coming from the in-tune side because I, you know, that's where I was introduced into mdm.

Speaker 2:

So, um, I'm kind of biased on that. But I've seen, I've been working a little bit with soOTI, with Workspace ONE. I've seen how it works with MobileIron and especially with SOTI. It's very, very specialized into the frontline worker space. We have the Android-specific things and it's a great tool. Nothing to say about that. And it's a great tool. Nothing to say about that. But we have this large customer that actually they've kind of been looking at both of them. They're saying well, we're going to manage a whole bunch of other things in Intune as well, so why not manage the frontline workers as well there? So we've actually created solutions for it to work. But then we have to have those things with the developers to do certain things and that's what. That's what's needed pretty much.

Speaker 3:

Yeah, I definitely see the desire to want a single pane of glass to manage all of your devices, one licensing cost for all your endpoints, be that laptops or Android.

Speaker 2:

But at the same time. It's not the same people that are managing the entire fleet the entire fleet. Then you have one team that's managing the Android devices, one team that's managing the iOS devices and another team managing the Windows devices. So that's a natural thing, because they've been used to having different tools for different teams. All of a sudden they're going to have one and same tool. But that's one good thing with Intune as well is the possibility to do the RBAC, role-based access, the thing there where you can actually delegate certain things to local IT but they don't have to have the entire Intune administrator role. They can have like a specific roles you can create there with scope tags, et cetera. So if you can use that or know how to use it, it's a great way of delegating tasks to, you know, to service desk, et cetera, to service desk, et cetera.

Speaker 3:

Brian, have you just learned the ins and outs of Intune just over years of experience, or have you found any good training resources or courses online to help with this?

Speaker 2:

Both. I think most of it is what I've been kind of learning myself together with my colleagues. We have a great team where we collaborate and have sessions together. We kind of share our experiences and within atea and that's a really good thing it's not just the local, our local office here. We kind of share with you know the entire at least in sweden that's. It's kind of more, even if Atea is in the entire Baltic or in the entire Nordic countries and the Baltics. We tend to collaborate with our own peers within our country but at the same time Atea is kind of pushing more for one Atea. That's been their way of thinking and working now the last two years at least, to try to think a little bit broader, to get help from your colleagues wherever they are and kind of help each other. And from my perspective it's been. Everything that I've been doing is more or less what I've been learning myself, but same time I've had a lot of help from my colleagues, of course yep, yeah, I.

Speaker 3:

I think my two cents on that is uh, I. I've found online training materials, but most of the content seems to be focused on Windows management and less on the iOS or the Android side. And that will change as they're taking market share of those Android devices, but I've felt that there was a bit of a steeper learning curve for me, just because I found less content specifically around Android, which is where Bluefletch focuses. So it's more of me kind of learning as I go on the tool yeah exactly it's.

Speaker 2:

You know, since we're in a very close partnership with Microsoft, we have those resources as well from the product team and the product group. We have monthly meetings, bi-weekly meetings with the contact there that we can ask questions, we can get straight answers directly from the product team. So that kind of we can, you know, ask questions, we can get, you know, straight answers directly from the product team. So that kind of helps as well. But uh, not, you know, not all companies or partners or don't have that kind of though. Yeah, yeah, that's a big advantage for sure.

Speaker 1:

Yeah, um, so I think you know, maybe closing here, what we're hearing is the march towards Intune is not going away, both from a perceived cost perspective, but then also from probably from a security suite side of things as well. The, you know, the CISOs in these organizations are going to be looking for something that's more streamlined and more systemic in terms of integration, easiness of management. So it's going to continue. And then I guess the migration things to think about are the different structures inside of Intune versus the more branch and tree-like structure within some of the other MDMs. But Android definitely is the future in terms of Android enterprise management, that style. So I think it's probably fair to say that Intune is definitely going to continue to grow. Patrick or Brian, do you guys have objections to that or do you agree with that?

Speaker 2:

I agree with that 100%. That's pretty much what we're seeing and it hasn't stopped. Objections to that? Do you agree with that? I agree with that 100 percent. That's pretty much what we're seeing and it hasn't stopped. It can be more, even accelerated Last couple of years since Microsoft has made a lot of great strides and providing new features and enhancing features within Intune. That makes it even more appealing for our customers.

Speaker 1:

Definitely Sure, okay, you know that makes perfect sense. So in closing Patrick, is there anything that you wanted to add from your perspective that you've seen or you know working with Brian on questions he's asked that force you to learn some things too from an Intune perspective, yeah, I think.

Speaker 3:

I'm learning today that he's asked that force you to learn some things too from an intune perspective. Yeah, I I think I learning today that you know intune definitely has its constraints, but they're. They can be overcome with different tools and tricks and scripting and things like that. Um, the benefits of intune can definitely outweigh that if you're willing to adopt those modern ways of Android management, the deep integration with IntraID and other examples, with conditional access policies and shared device mode and single sign-on to Microsoft apps. I think it's definitely why people are moving that way. They're they're fine with the, the constraints. They either have ways to work around it or they're confident Microsoft's going to make changes in the future to to make their life a little bit easier. They and ultimately they're looking for that single pane of glass to manage all their devices. So, yeah, I think it's definitely going to keep growing and we're going to keep hearing more and more requests to help with Intune management.

Speaker 1:

Yeah, thanks a lot, patrick, and so I think you know in terms of where we are now. We'll just expect this can continue to grow and, like you said, microsoft is probably going to continue to mature, make the product more mature, and that features to it. Based on what they're hearing from you know, folks like Atea and Brian and your team but also from end customers as well. So you know, I think what we can say is expect to hear more about Intune going forward and, if you do, plan on adopting it, plan on a bit of a learning curve, but it's not something that isn't insurmountable or something that can't be overcome with some of the other tools that we discussed. So I think, for today, I'd say thanks again for joining another episode of the Enterprise Mobility Podcast and make sure you reach out to us with any questions that you have about what you heard today or any other subjects you have on MDM or endpoint management.

Speaker 3:

Thanks, Thanks, brian, appreciate you being here.

Speaker 2:

Yeah, thanks for having me. Thanks, thank you, thank you.