Not to be confused with Apple’s music player, Microsoft’s Windows Intune is, in fact, a cloud-based desktop management tool, aimed at small to medium enterprises put off by the cost and complexity of on-premise solutions such as Microsoft System Center.
First released at the start of 2011, Windows Intune has, in the short time since been upgraded twice, with the latest release designed to make the service more scalable while also adding extra functionality and support for mobile devices. That said, because it’s a hosted service there’s effectively no new code to install, customers receiving the new service automatically with only a few tweaks required to migrate existing Intune setups and take advantage of what’s now on offer.
More of the same
Officially referred to as the June 2012 release, pricing for what is effectively Windows Intune 3.0 remains unchanged. Following an optional free trial, customers are required to sign up for a 12-month subscription which is then paid monthly at a cost of £7.25/month (ex. VAT) per managed system with, as of the June release, support for up to four mobile devices per seat also included.
Customers with large numbers of users can get volume discounts (Microsoft reckons to be able to support up to 5,000 users/devices with Intune) with money off, too, for System Assurance customers looking to add the cloud-based management solution to their portfolio. Note that, as an inducement to move away from XP and Vista, a licence enabling client PCs to be upgraded to Windows 7 Enterprise (and Windows 8, when released) is also included with each Intune subscription.
The mechanics of the service
The way the Microsoft management service works hasn’t changed much in this release, with a Windows Intune agent required on each PC to be managed, with support here for any version of Windows, starting with Windows XP equipped with SP3. The agent isn’t changed either but there is, a new self-service company portal in this release to allow end users to both add their computers and mobile devices to Intune and perform other tasks, such as install authorised applications, themselves.
Desktop and mobile versions of the new company portal are both available and there are facilities to customise the interface, although these are mostly limited to changing the colours. The new Metro GUI is also in evidence in the design of the portal.
Elsewhere the consoles used to administer Intune accounts are revamped in this issue, and there are still two which can be confusing. However, the main Silverlight-based Web console, used to manage client systems, apply security policies and so on, is largely unchanged apart from a few tweaks when it comes to handling multiple alerts plus the new features added elsewhere.
So what is new?
The first big change in this release of Intune is integration with the cloud-based Windows Azure Active Directory service, the same service used to authenticate and manage Office 365 users. Although not a pre-requisite as such, for customers with Active Directory Federation Services (AD FS) 2.0 this will, effectively, give users single sign-on to Intune using local network credentials rather than requiring a separate Windows Live ID.
Group membership has also been extended in Intune 3.0 to include users and devices instead of just computers as in previous versions. Existing security groups and users in a local AD domain can also be synchronised to an Azure AD domain ready to be managed using Windows Intune, with an all new facility to create dynamic query-based management groups based on user-defined selection criteria as well as the fixed groups previously supported.
On the downside, by synchronising a domain to Azure AD, Intune customers are potentially putting user credentials into the cloud. Microsoft will, naturally, argue the security of the Azure AD service but with sensitive information stored on servers outside of customer control, for many it could be a step too far.
The other major new feature is support for mobile devices, similarly, added for the first time in Windows Intune 3.0. More specifically, this release allow for management of Windows Phone 7, iPhone, iPad and other devices running iOS 4.0 or later plus Android 2.1 or above. Moreover, all can be managed in much the same way, through Intune policies, regardless of the platform involved.
A clear move towards addressing growing BYOD (Bring Your Own Device) concerns, Intune 3.0 can be used to both discover mobile devices and centrally manage them as you would desktop computers and notebooks. Lost or stolen devices, for example, can be automatically wiped, access to e-mail and other resources controlled by cross-device policies and authorised users empowered to install line of business apps themselves, through the Intune company portal.
All of which is good news for companies struggling to cope with BYOD, but Intune is reliant on Active Directory and Exchange ActiveSync (EAS) to deliver these benefits—a requirement that, in turn, implies the availability of Exchange Server on the managed network. Not a problem for companies with an in-house exchange system already, but those using hosted Exchange services (including Office 365), or another messaging platform altogether, may find they are unable to take advantage of the new mobile management capabilities.
Another brick in the wall
Other enhancements include facilities to customise alert thresholds in Intune 3.0 and the ability to make use of the peer-to-peer sharing technology in Windows 7 to economise on bandwidth when distributing updates and other software. It all makes sense, the enhancements in this release working to improve the Windows Intune service and make it attractive to a much larger target audience.
There are a few caveats, such as the need for Exchange to manage mobile and security issues around Windows Azure AD. Such concerns aside, however, there are no real cost implications to the upgrade so the end result is a very affordable solution with even more functionality on tap to keep tabs on IT users, apps and devices.