Trench Tales: Using Intune for mobile device management of privately-owned devices

The General Data Protection Regulation (GDPR) has had a big impact on how businesses operate since it came into effect almost three years ago. Companies based in the EU and large multinationals having a presence there have had to adhere to this regulation if they want to avoid being heavily fined. Martin Urwaleck, who heads up the IT team for a pharmaceutical payroll company based in Vienna, Austria, knows all about this challenge as he had to take concrete steps to ensure his company fully complies with the GDPR. Having had to deal with managing privately-owned mobile devices in our own IT environment, I was interested in finding out how Martin used Microsoft Intune for mobile device management at his own workplace. So, I asked Martin a series of questions, and he graciously responded and also had his colleague Christoph Kubin provide us with some screenshots to illustrate how Intune can be used to manage privately-owned mobile devices. Let’s start first with my question-and-answer session with Martin.

MITCH: Martin, what led you in the first place to seek out and implement mobile device management of privately-owned devices for the company where you manage IT services?

MARTIN: I had to take the GDPR challenge: I needed a solution for using office data on privately-owned devices that we can’t control. Some kind of office container solution that can easily be wiped without any impact on personal data and applications. On the other hand, I expect that sooner or later we will have lots of mobile office devices (tablets or phones) and I want to be prepared. And implementation takes some time.

MITCH: Why did you choose Microsoft Intune as the solution for managing employee-owned mobile devices?

MARTIN: Simple: It’s part of my E3 plan. I always try to use stuff that I already have licensed before looking for additional tools. That doesn’t mean that I wouldn’t invest in one of the big irons if it was needed. But Intune just fits the bill at the moment.

MITCH: So where exactly are you right now in the rollout right now?

MARTIN: All of the configuration stuff in the portal is done, the rules are created. What we are currently doing is testing against a bunch of different mobile phones to see if everything works as expected.

MITCH: Has everything been smooth sailing so far, or have there been some problems/challenges you’ve encountered along the way?

MARTIN: Well, it was running pretty smooth. But my team would have been stuck several times without support from an experienced Intune guru. It’s not only about configuring Intune — there’s a bunch of pitfalls in other configuration areas as well you need to be aware of.

MITCH: How did you find your experienced Intune guru? Is he part of your network of IT colleagues, or did you have to go guru-hunting?

MARTIN: I’ve been working for 30-plus years in IT in different positions on either the customer or contractor end. So, I have accumulated a pretty large network of contacts. Gurus know each other with their different areas of expertise, at least over here in Austria. So basically, you just have to know one! And the best testimonial I’ve found for finding one is word-of-mouth from experienced colleagues.

MITCH: Are there any features Intune still lacks for mobile device management that you would like to see Microsoft add to it in the future?

MARTIN: What I would like to see (maybe I just haven’t found it) is a similar container solution for privately-owned Windows PCs. Initially, we used Remote Desktop Services (RDS) to keep data inside the office, but Microsoft Teams blows up RDS because it’s a resource hog. The more we use Teams, the more we have to issue notebooks for remote work — using Teams on the local PC is no option because of GDPR — and personal data may easily leak either because of the use or because the PC is infected (it’s out of control for us).

MITCH: So, you mean using Teams on the local PC is no option because of GDPR? Are there any other ways that GDPR has created difficulties for companies that have their employees working from home because of the pandemic?

MARTIN: Not in our case. We have only two options for remote work: VPN or RDS. VPN is no problem GDPR-wise and the RDS configuration is pretty strict (i.e., no cut and paste between PC and RDS session, no file transfer) but not so strict that people wouldn’t use it anymore (GDPR would hit again if people started mailing documents to their private accounts to work on their private PCs).

MITCH: Wow, lots to think about there and challenges to face. Can you show us some of how you’re using Intune to manage mobile devices?

MARTIN: Sure, I’ll have my colleague Christoph Kubin, who is an IT administrator here, do this for your readers. Christoph?

CHRISTOPH: My pleasure — here are some screenshots along with a short description:

When you open the Microsoft Endpoint Manager admin center you will see the Home page pane below. This pane provides an overall visual snapshot of tenant status and compliance status, as well as other helpful related links:

mobile device management

From the navigation pane, select Dashboard to display overall details about the devices and client apps in your Intune tenant, as shown below. This dashboard is completely customizable on your own preferences. Intune lets you manage your workforce’s devices and apps, including how they access your company data. To use this mobile device management (MDM) service, the devices must first be enrolled in Intune. When a device is enrolled, it is issued an MDM certificate. This certificate is used to communicate with the Intune service:

mobile device management

The Devices – Overview pane shown next has several tabs that allow you to view details about the enrolled Devices in your Intune/M365 tenant:

mobile device management

From the Devices – Overview pane, select Conditional Access to display details about access policies. Conditional Access refers to ways you can control the devices and apps that are allowed to connect to your email and company resources:

Conditional Access s pane

Intune includes settings and features that you can enable or disable on different devices. These settings and features are added to “configuration profiles.” You can create profiles for different devices and different platforms, including iOS, Android, macOS, and Windows:

configuration profiles pane

From the Apps – Overview pane, select All apps to see a list of apps that have been added to Intune. You can add a variety of different app types based on the platform to Intune. Once an app has been added, you can assign it to groups of users:

All apps pane

I hope these screens and short descriptions will be useful for your readers.

MITCH: They definitely will be. Thank you very much to both of you.

Featured image: Designed by Upklyak / Freepik

2 thoughts on “Trench Tales: Using Intune for mobile device management of privately-owned devices”

  1. have you considered using application protection policies, conditional access, azure data protection, teams policies and some other features to provide teams access outside RDS and yet controlling your data?
    btw RDS is no longer actively developed by Microsoft for on-prem, so keep this in mind :O

  2. Martin Urwaleck

    We are implementing basically everything M365 gives us security-wise, but only step-by-step. Conditional Access and Teams Policies are already implemented. RDS is currently used because we needed a fast solution during the first COVID lockdown – it was not part of my initial plan. Our biggest issue cloud-wise is GDPR – in the current situation we can’t put any data onto Onedrive or Sharepoint as our core business is dealing with highly sensitive personal data.

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top