This is a continuation of a series of articles on Azure services from an operational engineering perspective with the most recent introduction of Microsoft Graph with the link here. The previous articles discussed the Microsoft Graph, its connectors and Data Connect. This article discusses Intune. The Microsoft Graph API for Intune enables programmatic access to Intune information for a tenant. The API performs the same Intune operations as those available via the portal.  It just behaves like another service that provides data into the Graph API. 

Microsoft Intune is a cloud-based service that manages devices and their applications. These devices can include mobile phones, tablets, and notebooks. It can help configure specific policies to control applications. It allows people in the organization to use their devices for school or work. The data stays protected, and the organizational data can be isolated away from the personal data on the same device. It is part of Microsoft’s Enterprise Mobility and Security EMS suite. It integrates with the Azure Active Directory to control who has access and what they can access. It integrates with Azure Information Protection for data protection.  

Since it is a cloud service, it can work directly with clients over the internet, or be managed with Configuration Manager and Intune. The rules and configuration settings can be set on personal, and organization owned devices to access data and networks. Authenticated applications can be deployed on devices. The company information can be protected by controlling the way users' access and share information. The devices and applications can be made compliant with the security requirements. The users must opt into the management with Intune using their devices. Users can opt in for partial or full control by organization administrators. These administrators can add and assign mobile apps to user groups and devices, configure apps to start or run with specific settings enabled and update existing apps already on the device, see reports on which apps are used and track their usage and do a selective wipe by removing only organization data from apps. App protection policies include using Azure AD identity to isolate organization data from personal data, helping secure access to personal devices, and enrolling devices. 

Intune makes use of app protection policies and device compliance policies to protect data. It uses profiles and configuration policies to protect data. It uses applications and application configuration policies to manage applications. It saves the device compliance results to Active Directory for conditional access. It uses groups from Active Directory for regulating all the activities it performs for users. The authentication and authorization helper libraries that work with Active Directory are used by SaaS applications and Office 365 to integrate with Application stores and device experiences.  In a way, Intune works like a collection of microservices instead of a monolithic control and state reconciliation plane. The end-user devices make use of Network access control partner, Mobile Threat defense connector, and Telecom expense management routines to connect with the microservices that protect data and configure devices. 

Microsoft Intune includes settings and features to enable or disable different devices within the organization. These are added to configuration profiles that can be created for different devices and different platforms. Intune can be used to assign the profile to devices. These configuration profiles help to complete several tasks such as blocking ActiveX controller in Microsoft Edge, allowing users to AirPrint specific printers, allow or deny access to Bluetooth, give access to corporate networks, manage software updates or run as a dedicated kiosk device. There are a few cloud based artifacts that administrators can leverage for this purpose. They include administrative templates which are hundreds of settings that give administrators a simplified view of settings. They include group policy analytics which analyzes on-premises GPO and shows which policy settings are supported. Custom settings help extend settings for administrators when the built-ins don’t suffice. Software updates are delivered through delivery optimization. They include derived credentials which can be included with profiles to connect to VPN and WiFi.