Additional capabilities of the Intune Suite

The Intune Suite offers several advanced capabilities beyond its core functionality, which I will give an overview of in the following article. These include support for specialty devices, firmware over-the-air updates, and Microsoft Tunnel for Mobile Application Management (MAM). Together, these features help organizations manage a wider range of devices, ensure up-to-date firmware, and provide secure access for mobile apps without requiring full device enrollment.

Microsoft Tunnel for Mobile Application Management

Introduction

Microsoft Tunnel for MAM lets users securely access company data on their personal devices, no device enrollment required. With support for modern authentication, single sign-on, and Conditional Access, it keeps work secure without giving IT access to the whole device. It’s a smart way for companies to boost security while still respecting user privacy and keeping things simple.

Architecture

Microsoft Tunnel is a VPN gateway for Intune that runs on a Linux container and lets you securely access on-prem resources using modern authentication and Conditional Access.

TIP

You can find a more in depth overview of the Archtiecture on Microsoft Learn.

Configuration

Tunnel for MAM uses the Microsoft Tunnel Gateway and has therefore the same requirements you can find here.
Once Microsoft Tunnel is up and running, you’ll just need to add two app configuration policies and an app protection policy to get Tunnel for MAM working.

Microsoft Tunnel configuration

INFO

This will only be a brief overview of the Microsoft Tunnel configuration, as it is a prerequisite for Tunnel for MAM, but is a separate feature.

To start the Configuration you need to open the Intune admin center → Tenant administration → Microsoft Tunnel Gateway
Here you can create the nessecary settings for Server configurations, Sites and Servers.

The following steps are required to create a Microsoft Tunnel:

1. Create a Server configuration
2. Create a Site configuration
3. Install Microsoft Tunnel with a script on your Linux Server

WARNING

In order to use the Microsoft tunnel on your Android or iOS/iPadOS device, you will need the Defender for Endpoint app, as this acts as the tunnel client. For Tunnel for MAM the Defender App is only needed on Android devices. iOS uses a SDK integration for that and does not need the App (Learn more here). In addition, you will need to create a VPN profile in your device settings and custom app settings for the Defender for Endpoint app to direct it to use the tunnel. You can find more information on how to do this here:

• Deploy the Microsoft Tunnel client app
• Create a VPN profile
• Use custom settings for Microsoft Defender for Endpoint

App configuration and protection policies

The next step is to create the App configuration and protection policies so that we can extend the Microsoft Tunnel Gateway to MAM Apps (not enrolled devices).

1. Open the Intune admin center → Apps
2. Here you find the Configuration and Protection blades where you can create the coresponding policies.

You can find a Step-by-Step Guide to create the Android policies and iOS policies on the Microsoft Learn Page.

• Android - App configuration for Defender
• Android - App configuration for Edge
• Android - App protection for Edge
• iOS - App configuration for LOB apps (Tunnel for MAM SDK)
• iOS - App configuration for Edge
• iOS - App protection

TIP

You can also find an interactive Demo on the Learn page, that not only shows you how to create the settings, but also how it looks on the mobile OS.

• Microsoft Tunnel for Mobile Application Management for Android
• Microsoft Tunnel for Mobile Application Management for iOS/iPadOS

References

• Microsoft Learn - Microsoft Tunnel for Mobile Application Management
• Youtube - Microsoft Intune Tunnel for Mobile Application Management

Firmware over-the-air update

Introduction

INFO

Firmware over-the-air update supports currently only Zebra LifeGuard for Android.

Zebra LifeGuard Over-the-Air (LG OTA) Integration with Microsoft Intune is a feature that allows organizations to manage firmware updates for Zebra Android devices directly through the Intune. This integration helps with single pane of glass management and simplifies hands-free, automated deployment of updates.

How to set it up?

• Step 1: Set up Zebra Connector
• Step 2: Enroll Devices with Zebra LG OTA Service
• Step 3: Create and Assign Deployments
• Step 4: View and Manage Deployments

References

• Zebra LifeGuard Over-the-Air Integration with Microsoft Intune - Microsoft Learn
• Zebra's LifeGuard for Android™ Product Video - YouTube
• Zebra Documentation

Support for specialty devices

Introduction

Intune Suite’s Support for Specialty Devices makes it easier to manage and secure things like AR/VR headsets, large smart screens, and certain meeting room devices.

IT administrators can use this support to ensure that these devices are secure and compliant with organisational policies. Features include device provisioning, certificate and Wi-Fi management, Conditional Access, device compliance, app lifecycle management and remote actions.

How does it work?

You can enrol the following devices using the Company Portal App or via web enrolment:

• AR / VR headsets
• large smart-screen devices
• select conference room meeting devices (additional teams room pro licennces are required usually)

References

• Managing specialty devices with Microsoft Intune - Microsoft Learn
• Microsoft Management of Specialty Devices - YouTube