Additional capabilities of the Intune Suite
The Intune Suite offers several advanced capabilities beyond its core functionality, which I will give an overview of in the following article. These include support for specialty devices, firmware over-the-air updates, and Microsoft Tunnel for Mobile Application Management (MAM). Together, these features help organizations manage a wider range of devices, ensure up-to-date firmware, and provide secure access for mobile apps without requiring full device enrollment.
🚇 Microsoft Tunnel for Mobile Application Management
Introduction
Microsoft Tunnel for MAM lets users securely access company data on their personal devices, no device enrollment required. With support for modern authentication, single sign-on, and Conditional Access, it keeps work secure without giving IT access to the whole device. It’s a smart way for companies to boost security while still respecting user privacy and keeping things simple.
Architecture
Microsoft Tunnel is a VPN gateway for Intune that runs on a Linux container and lets you securely access on-prem resources using modern authentication and Conditional Access.
TIP
You can find a more in depth overview of the Archtiecture on Microsoft Learn.
Configuration
Tunnel for MAM uses the Microsoft Tunnel Gateway and has therefore the same requirements you can find here.
Once Microsoft Tunnel is up and running, you’ll just need to add two app configuration policies and an app protection policy to get Tunnel for MAM working.
Microsoft Tunnel configuration
INFO
This will only be a brief overview of the Microsoft Tunnel configuration, as it is a prerequisite for Tunnel for MAM, but is a separate feature.
To start the Configuration you need to open the Intune admin center → Tenant administration → Microsoft Tunnel Gateway
Here you can create the nessecary settings for Server configurations, Sites and Servers.
The following steps are required to create a Microsoft Tunnel:
- Create a Server configuration
- Create a Site configuration
- Install Microsoft Tunnel with a script on your Linux Server
WARNING
In order to use the Microsoft tunnel on your Android or iOS/iPadOS device, you will need the Defender for Endpoint app, as this acts as the tunnel client. For Tunnel for MAM the Defender App is only needed on Android devices. iOS uses a SDK integration for that and does not need the App (Learn more here). In addition, you will need to create a VPN profile in your device settings and custom app settings for the Defender for Endpoint app to direct it to use the tunnel. You can find more information on how to do this here:
App configuration and protection policies
The next step is to create the App configuration and protection policies so that we can extend the Microsoft Tunnel Gateway to MAM Apps (not enrolled devices).
- Open the Intune admin center → Apps
- Here you find the Configuration and Protection blades where you can create the coresponding policies.
You can find a Step-by-Step Guide to create the Android policies and iOS policies on the Microsoft Learn Page.
- Android - App configuration for Defender
- Android - App configuration for Edge
- Android - App protection for Edge
- iOS - App configuration for LOB apps (Tunnel for MAM SDK)
- iOS - App configuration for Edge
- iOS - App protection
TIP
You can also find an interactive Demo on the Learn page, that not only shows you how to create the settings, but also how it looks on the mobile OS.
References
- Microsoft Learn - Microsoft Tunnel for Mobile Application Management
- Youtube - Microsoft Intune Tunnel for Mobile Application Management
☁️ Firmware over-the-air update
Introduction
INFO
Firmware over-the-air update supports currently only Zebra LifeGuard for Android.
Zebra LifeGuard Over-the-Air (LG OTA) Integration with Microsoft Intune is a feature that allows organizations to manage firmware updates for Zebra Android devices directly through the Intune. This integration helps with single pane of glass management and simplifies hands-free, automated deployment of updates.
How to set it up?
- Step 1: Set up Zebra Connector
- Step 2: Enroll Devices with Zebra LG OTA Service
- Step 3: Create and Assign Deployments
- Step 4: View and Manage Deployments
References
- Zebra LifeGuard Over-the-Air Integration with Microsoft Intune - Microsoft Learn
- Zebra's LifeGuard for Android™ Product Video - YouTube
- Zebra Documentation
📺 Support for specialty devices
Introduction
Intune Suite’s Support for Specialty Devices makes it easier to manage and secure things like AR/VR headsets, large smart screens, and certain meeting room devices.
IT administrators can use this support to ensure that these devices are secure and compliant with organisational policies. Features include device provisioning, certificate and Wi-Fi management, Conditional Access, device compliance, app lifecycle management and remote actions.
How does it work?
You can enrol the following devices using the Company Portal App or via web enrolment:
- AR / VR headsets
- large smart-screen devices
- select conference room meeting devices (additional teams room pro licennces are required usually)