How Windows Intune 3 can help you manage and secure your PCs
30th Nov 2012 | 13:00
What your business needs to know about Microsoft Windows Intune 3
The Microsoft Windows Intune cloud service allows IT managers to monitor PCs and apply policies and updates, even if you don't run your own Active Directory. For a low monthly price you get PC and mobile device management plus anti-malware software you can manage centrally instead of the hotch-potch that came with the PCs you bought for employees; for a little extra you can get more management tools and licences for the latest version of Windows - which now means Windows 8.
Keep PCs in tune
You don't need every PC to be running the same version of Windows; Intune works with any of the business versions of Windows from XP SP3 onwards. You don't have to wait for remote or mobile users to log in to a VPN to apply policies; the management agent checks for new policies and re-applies existing ones once a day.
You can check anti-malware protection remotely, set policies for the Windows Firewall, force an update to install or reboot a problematic PC, deploy or audit Microsoft and third-party applications, manage Microsoft and third-party licence agreements, get alerts and reports on anything you're tracking (like PCs running out of disk space) and run remote support sessions – (almost) all in the web portal. Additionally, there are recommended policies for things like mobile security and Windows Firewall to get you started quickly.
The new version of Intune adds management and app hosting for mobile devices (Android and iOS) through a new portal that you can customise as a support centre, plus improvements to software asset management and the reports that tell you what's happening on the PCs you manage.
You can do your management from any PC because you do it all in the browser (although it does need to be a browser that runs Silverlight, so IE 7, Firefox 5 and Chrome 15 or later). If you've looked at previous versions of Intune, the administrator interface is much improved; it's far easier to find the reports you want, to see which alerts are important and to get rid of the ones you don't need to deal with.
However managing mobile devices, including a handy report that shows you exactly which phones and tablets are collecting company email, is only available if you have an on-premise version of Exchange 2010 SP1.
If you use Office 365 you already have the same mobile device management options because Intune uses EAS policies for enforcing password complexity or encryption and performing remote block or wipe, but you can't yet do it all in the same place.
Distribute apps and applications
You can host mobile apps wherever your Exchange runs, because they show up on the self-service portal alongside the Windows programs you mange through Intune; this also has tools for users to add their own PC to Intune, turn off email on their phone or wipe it remotely, or contact your support team (if you fill in the details for them).
They can't request remote assistance from the portal, just the Intune software on their PC – just in case they're accessing it from something other than their normal PC –but you can set up email alerts so you don't miss any requests.
To distribute software you need the .APK files for Android apps or the .IPA files (plus manifests) for iOS apps; you can't link to apps that are already in app stores, so this is for software that you've either developed yourself or that you've licenced and have the source code for.
Microsoft updates (for Windows and other Microsoft software) show up automatically in Intune and you can decide which groups to approve these for (or even push them to), so you don't have to rely on users leaving Windows Update turned on to be sure their PCs are up to date. You can also host updates for third-party software the same way you do complete Windows applications, whether they're EXE or MSI installers, or Windows Installer patches (.MSP files). And you can choose groups of users that can install them.
Intune also has the ability to create groups to target security policies and software availability. For example you can setup a design group for Photoshop, allowing the design team to have easy access to Photoshop but stops anyone else using up an expensive licence. On the other hand, you probably don't need to force them to have a complex password on their phone just to get company email.
In Intune 3, you can create groups of users or of computers, phones and tablets, as a list or based on queries. You can also look at dynamic groups in reports, like 'which PCs have enough RAM to run Windows 8' or 'how many of the Dell systems we have haven't applied this month's patches from Windows Update'.
The software inventory reports are useful for seeing what applications are installed on the PCs in your business. Tying that to your software licences is a little more manual, because you have to add Microsoft Volume Licence Agreements using the agreement number and type in the details from other software licences by hand.
Incidentally, Intune doesn't check whether you have enough licences whenever a user installs an app and it doesn't send any reports back about how many copies of a program you have installed.
Anti-virus and Windows 8 upgrades
One of the core Intune features is malware protection. Compared to the anti-virus software that comes on most PCs it's much better suited to business use. It's the same Forefront anti-malware engine used by System Center Endpoint Protection 2012 (and Microsoft Security Essentials) and it scores well in anti-virus testing, as well as not using up as many system resources as many security tools so users will like it.
Sticking with the anti-virus software that comes on a new PC is a false economy because you end up managing multiple products that have to be renewed at different times, so you don't get effective monitoring and alerts.
With Intune you know all your PCs are protected from malware with up-to-date definitions and how often they're being scanned, plus you can see immediately if a virus is detected, so you can warn staff to be more careful online.
You can also push updates to vulnerable software (like Adobe Acrobat) so you can monitor a range of security issues from the same place. The only real drawback here is that Intune is best at automatically removing enterprise versions of other anti-virus software, although until you replace it Intune will report the health of the existing anti-virus software.
Compared to the cost of most anti-malware software, Intune is something of a bargain. For £8.75 per PC per month you get Windows Intune, and you also get upgrade rights to the enterprise version of Windows 8 so you get extra business features like full disk encryption and automatic USB encryption with BitLocker. Additionally Windows Intune effectively includes Software Assurance (if you already have SA you'll get a discount for that) so if the tools fit what you need, it could be one of the cheapest ways of getting Windows 8 upgrades for your business.