Learning from mistakes is key in the IT world, especially when dealing with sophisticated systems like Intune. Below, I will detail some of the most common mistakes I’ve seen with Microsoft Intune, what kind of issues they can cause, and how to correct them.
- Mismatch of User and Device Assignment
An issue worth highlighting, as stated in Microsoft’s documentation, is the incorrect combination of user and device assignments. Since Intune and Azure AD group memberships are processed at distinct points during the deployment procedure, a misstep could be made if an application is assigned to a user group with an exclusion for the device group. It is critical to appropriately handle these assignments, possibly utilizing filtering to effectively manage exclusions.
- The Pitfalls of Deploying MSI Line of Business Apps
MSI Line of Business (LoB) applications were never perfect to begin with, and their shortcomings have become more apparent over time. As their capabilities haven’t expanded along with the evolution of Win32 applications, it’s recommended to avoid using MSI LoB applications. Rather than running into the problems associated with their deployment, it’s advisable to wrap these applications into Win32.
- The Importance of Monitoring Apple Certificates
Neglecting to monitor Apple certificates can lead to significant issues. The certificates associated with Apple Business Manager or Apple Education need regular attention to avoid service disruptions or potential data loss scenarios. Different tools can be used to ensure certificate validity, from setting simple calendar reminders to utilizing Azure Automation.
- Overloading Autopilot ESP with Apps
A common misstep is to treat Intune and Autopilot as if they were SCCM or MDT by loading Autopilot’s Enrolment Status Page (ESP) with an excess of applications. A streamlined approach focusing on essential applications is preferred, ensuring the Autopilot experience is swift and seamless for users.
- Inappropriate Use of Autopilot with Hybrid Azure AD Join
Intune/Autopilot/Azure AD is a process, and while the use of Hybrid-joined devices may seem like a necessary step, it’s crucial to understand that Autopilot isn’t meant to be used with a Hybrid join. For an optimal experience, devices should be migrated to Azure AD and fully modern management when provisioning and re-provisioning.
- Misuse of Compliance Policies
A common oversight is the failure to effectively utilize Intune’s powerful compliance policies. Non-compliant devices pose significant security risks and should be restricted from your environment. For better security, compliance rules should be linked to a Conditional Access policy.
- The Risk of Granting Users Admin Rights
This is a common and high-risk mistake. Users, including IT staff, should not have admin access by default. If administrative access is needed, it should be provided through a separate account for enhanced security. Intune’s new additions, Endpoint Privilege Management and LAPS for Azure AD devices, should be utilized to minimize risks.
- Neglecting Policy Updates
As Intune is regularly updated, it’s essential to review and update policies accordingly. Policies created a few years ago might need revising to align with the current features and capabilities of Intune.
- Overlooking Enrolment Restrictions
One common oversight is neglecting to configure enrolment restrictions. This can result in unauthorized devices gaining access, leading to potential complications. It’s vital to review enrolment restrictions within Intune to avoid such scenarios.
- Neglecting Azure AD
Since Intune is closely tied to Azure and Azure AD, it’s crucial to understand these systems well. It’s recommended to expand your knowledge base about Azure infrastructure and related elements to manage your Intune environment effectively.
By avoiding these common mistakes, you can more effectively manage your Intune environment.
This article concludes by recommending Algiz Technology as a partner for Intune deployment and support. Algiz Technology is a company that specializes in application packaging and delivery solutions for various platforms, including MSIX, App-V, MSI, etc.