Martin McGregor

Don't start your Intune project without considering these factors

When it comes to designing an Intune project, there are things to do and there are things to avoid.  

There is what good looks like and then there is everything else. And, the everything else picture will result in a migration journey that impacts user experience and falls very short of effective device management.  

Unfortunately, I have seen many businesses get to the end of their Intune project and realise they missed many critical areas, both at the planning and building phases.  

All too often, I see businesses underestimate the time needed to successfully complete an Intune project, underestimate the resources needed and underestimate the cost involved—all of which do not allow them to achieve the best outcome.  

Further, without considering the end goal or knowing what a successful Intune project really looks like, businesses are not getting the most out of the solution and end up having significant gaps—again all of which contribute to more time and money expenditure. Two things that we know impact the bottom line, business continuity and employee satisfaction.  

So, what does good look like, and what do you need to make your Intune project great?  

The short answer is to plan.  

The long answer, keep reading.  

Plan for automating the entire device build process

At the end of your Intune project, you want to be able to deploy and rebuild devices remotely and automatically at scale. You want the end-user to be able to log in to their device and have everything they need to do their job—no calls to the support desk, no self-installing applications, no waiting for IT to complete manual steps. Simply turn it on, authenticate and everything is built over The Internet.  

That's the end goal, which is why it's really important to map out the entire build process before starting your Intune project.  

From setting up a user account and installing applications to patching software, consider every step, every task and every checklist item that goes into deploying, rebuilding and managing a device. This is a critical step in the planning phase and once you have detailed the various steps, you can configure Intune to automate these processes and ensure devices automatically deploy with everything the user needs.  

The big why?  

When you retain manual processes and interventions you are compromising the end-user experience, consuming your IT resources and creating a bottleneck for your organisation. If you don't have the capacity to automate the entire build process or prefer not to, you need to be aware there is going to be a significant human cost. Your IT team are going to be repeating the same monotonous tasks over and over. Physically taking the device out of the box, setting up user accounts, installing agents, patching, setting default settings, applying security controls and manually deploying the device all before the end-user can log in and start their work. 

This often leads businesses to the point where they realise there are pre-requisite works required for their Intune project to succeed. For example, moving away from hybrid Azure Active Directory joined devices, which is a topic in itself.  

Review your application inventory and ensure applications deploy through the company portal 

This is the time to determine what applications are critical to your business and employees. 

This is also the time to assign groups and review permissions, but first, you need to ensure all critical applications automatically install on devices and that all non-essential applications are available in your company portal. 

But that's the end goal and what you want to get out of Intune. To get there, well of course you need to plan.  

Determining the critical applications is one part of designing a successful Intune project, you will also need to determine the costs and resources needed to build this into your design. Consider the time and resources needed to take stock of all the applications in use, the time and resources needed to make these applications available in the company portal, and what you need to do or build to ensure these applications automatically deploy on devices. 

Along with determining what is needed to automate application deployments, you will need to account for ongoing application packaging and patching. 

Planning for this will allow you to set an appropriate deadline and budget for configuring Intune to automate application management. 

Yes, this can be complex and take significant time, but consider what it takes to package your applications and keep in mind this work often needs to be repeated each time a new version is released. 

Now consider what it would mean to your IT team if they did not need to manually package or patch each application on every single device. What would it mean for employees to turn their devices on for the first time and have everything they need already installed and ready to use?  

When your plan for this in your design, you can make all your essential and non-essential applications available through the company portal, applications will automatically deploy and update and you can remove local admin as end-users will no longer need to install or update applications on their devices. 

Azure Active Directory also allows you to set up and assign user groups, which is why it's important to understand the different critical applications to the different groups and employees at the beginning of your project. 

When you are diligent about making sure applications deploy through the company portal, you can build processes to automate updates and remove local admin privileges, which are significant security and compliance outcomes. 

Completing this work is also a pre-requisite to successful Application Allow Listing measures, which is a tremendous security bonus. In other words, the only software that can run on your end-user computers has been packaged and provided by the IT team. 

Capture and backup your end-user settings and preferences 

I've seen many Intune projects fail because organisations and IT teams did not consider the end-user experience or did not leave time in the project for capturing the user state. 

It is not ground-breaking to say that most employees just want to be able to do their work without disruption from IT or changes to their device or their desktop environments. 

This is why it is vital to capture user settings and customisations when migrating to a new device management solution like Intune. Again, I sound like a broken record, but this is something you need to plan for when designing your project. 

This process allows users to maintain their familiar working environment and mitigates the need for them to spend time reorganising their devices after migrating to Intune. In addition, capturing the user state can help ensure users do not lose any important data, settings, or favourites during the migration process, which has a significant impact on their experience.  

Ultimately, when a user turns on their device after Intune has deployed it, everything should look and feel familiar. 

It's equally important to continuously capture and back up user state so that when a user's device needs to be rebuilt, they can pick up where they left off.   

If this is not done correctly, users are going to be reluctant to let you rebuild or upgrade their devices in the future. 

Another thing to consider is how to make your employees comfortable with change. You may have some very tech-savvy employees outside of your IT team, but you also may have some employees who are nervous about new technology and systems—new technology and systems they may not want to spend time learning or adapting to. 

If systems are going to be completely different and migrating to Intune means your organisation will have new processes, it's very important to guide your end-users and give them assistance through that transition. This may mean providing resources explaining the changes, doing workshops, or if there's a particularly nervous user, you may need to walk them through the changes and new processes one-on-one. 

You may have all the technical prowess in the world, but if that doesn’t translate to happy and productive end-users, you may be missing the primary point of end-user device management. 

Reinforce your company's identity through customisation and branding 

In today's modern workplace, where remote work is becoming more prevalent, devices are often the only conduit employees have that connects them to the business. This is why it's important to display your company's brand, logos and colours on all digital platforms including employee devices and company portals. 

When employees use devices, applications and platforms branded with company logos and colours, it creates a professional feel and reinforces your company's identity. 

You want to show your employees they belong to something more than just the device they are using, you want to show them what they are part of. 

There are numerous opportunities to extend your company's branding including applying themes and colours to Microsoft Outlook and Teams, setting default company screensavers and listing company values on the Microsoft feed. 

Conversely, you don't want to take the customisation or branding too far. If you set default colour settings or screensavers, ensure users have access to change them. You want to be able to create a sense of belonging with your branding and customisation, but you also want to allow users to be able to make changes so they can make their device feel like theirs. This can be particularly true when it comes to background images. 

Take care of your end-user device security 

It is unfair and unacceptable to expect all employees to be successful cyber-attack defenders 24/7. 

While training employees on how to detect and avoid phishing is important, it is not enough to build a robust security posture or defend against cyber-attacks. This is why it is vital to consider how you will protect your employees and their devices when designing your Intune project. 

You will need to configure and implement various policies, systems, and controls. While this takes considerable time, defending against a cyber-attack is a team effort and users should never be left to fend for themselves. 

Policies and controls you should consider in your Intune design include: 

  • Restrict admin access 

Do not leave your employees vulnerable or expose them to unnecessary risk. Restrict admin access and have a system in place for requesting temporary admin privileges if needed. 

Set clear rules on policy exceptions, including when and why they can be granted and ensure you have visibility and can monitor the users with admin privileges. 

  • Consistent patching 

Unpatched applications and operating systems can present a significant attack vector. Scope and build a flexible yet compulsory update regime for your organisation and understand what resources you will require to consistently maintain them. This is often the largest operational cost for Intune projects and it’s a job that never ends.  

  • Configure security settings 

Apply security settings to devices and switch off unnecessary settings to reduce exposure and vulnerabilities. This should be a key deliverable in the project and should be maintained regularly as threats will continue to evolve. 

Making sure end-user devices are kept up-to-date and secure is the responsibility of the team managing those devices. Again, this is where at the beginning of the project, you need to be aware of what security controls need to be applied on the devices, how you are going to implement and maintain them and make sure that it is a key deliverable in your project. 

Achieving the best outcomes from your Intune project  

A successful Intune project takes planning, but migrating to native cloud management has enormous potential. 

Along with achieving the best outcomes, considering these five above-mentioned steps allows you to properly scope the cost, time and resources needed to successfully deploy and migrate to Intune. 

Failure to do so will result in compromised end-user experience, increased IT resources and budget overruns. The key takeaway is that planning is vital for a successful Intune project, and businesses need to determine critical applications, assign user groups, and ensure familiar working environments are maintained for end-users. By planning effectively, businesses can achieve a seamless device management system that positively impacts their bottom line and employee satisfaction. 

These are things that not everyone always thinks about but are really critical to having a successful Intune project.