This will be a running list of all common issues I have run access during Microsoft InTune implementations.
- If any information has changed since being publishing of this article please let me know so it can be updated
These issues or bad streamlined provisioning compared to other vendors such as MobileIron and AirWatch
- A great source of differences between MobileIron & InTune can be found here:
MobileIron: A Leader in UEM & Zero Trust Security
- If you forget to assign an InTune license to a user, you WILL be still able to register the device into InTune and it will sync but no where in logs, InTune MDM app or InTune Azure portal will it tell you that configurations and applications arenât pushing down because you forgot to assign a license to the user.
-
Apple DEP sync is only allowed after 15 minute countdown completed
-
Microsoft InTune support will not support, troubleshoot or help you to troubleshoot issues with native mail app, Gmail or any other third party email app that is not Outlook
-
Very long delays with device âsyncâ check-in and information can take 5 to 10 minutes or more to update in InTune web portal on what device info, configurations are even updated and reporting back to InTune
Re: @Junaid
-
The device check-in is every 15 minutes for the first 4 hours when a device is registered and then once every 8 hours.
-
You canât group devices together in a group easily. All profiles/configs/apps are assigned to groups of users.
- I had a scenario where each user had two iPads and each iPad was for a different role but I couldnât send different profiles/settings to each device.
- Had to create a Category Tag and create a dynamic group based off of this tag and once the device was registered, I had to assign that device to the correct Category Tag to push different profile sets.
-
Canât force install a profile/app that you can easily do in other MDM solutions.
-
Microsoft InTune do not have any policy to disable the location tracking for personal devices
-
Intune locks you into the Microsoft stack
⢠Not part of iOS AppConfig Community, only major UEM not a member of AppConfig Community (22 UEM members https://appconfig.org/members/)
⢠Locking you into Azure AD
⢠Almost solely focused on securing Microsoft apps â tiny non Microsoft ecosystem -
Microsoft does not have a consistent strategy for securing Android or macOS
No Android Work Managed, COSU and limited
⢠macOS (majority of additional non Apple standard management provided by JAMF integration)
⢠Microsoft UEM offering has major gaps
⢠No Android(Zebra) Task Workers Support -
Microsoft Intune is missing the security basics?
⢠Auto-quarantine for devices with malicious apps
⢠Security against Sloppy and Parasite apps
⢠No App Specific Tunnels eg Per-App-VPN (Requires 3rd party VPN) -
Deployment
â Cloud only. Not a viable option for organizations that require an on-premise EMM secure solution
â No gateway like Servers for access control or data-in-transit security -
Content Management
- Content managed only if stored within Office 365 apps or SharePoint Online/OneDrive Cloud
-
Gartner 2017 & 2018 EMM Magic Quadrant Comments
⢠InTune not listed in the Leaders quadrant and was dropped in the critical capabilities for 2nd year in a row. Called out for lack of support for 3rd party IT systems, including IAMs. -
Lacks Security Certificates for UEM (Canât deliver government grade solution or validated encryption)
- FIPS 140-2
- Common Criteria MDM PP
- FedRAMP
- Lacks Security Automation for Device Compliance
- Canât protect all your data if the device is compromised
- Requires manual compliance: non-Office business data stays on a compromised device until IT takes a manual action
- Lacks Mobile Threat Detection
- Canât detect and remediate device, network and app threats
- Lacks Conditional Access Outside Microsoft Cloud
- Canât stop untrusted apps from accessing business data
- Microsoft only focused on Microsoft Services
- Lacks rich ecosystem
- After 40+ months of ISV recruiting only 11 app ISVâs (13 apps) (Acronis Access, Adobe Reader, Box, Sharefile, Workspace One etc)
- Only 10 backend ISVâs (Checkpoint, Cisco, Citrix, Jamf, Lookout, Symantec, TeamViewer, Zimperium etc)
- Lacks track record of technical maturity
- Ongoing field feedback about:
⢠Complexity of mobile app SSO
⢠Android & Google Play integration
⢠App wrapping reliability
⢠macOS capability
-
Choose InTune if Security is not a priority and you never deploy non Microsoft Services
-
Microsoft Word, Excel and Skype for Business does NOT have an Android app config option to push the users UPN (email address), it only has 1 config option (com.microsoft.intune.mam.AllowedAccountUPNs)
@daniil_michine
23. It looks like Microsoft Edge for Android does not honour app configuration to configure bookmarks.
- PKCS certificate profile only allows the certificate CN to be burned with a common name or email address. This limits compatibility with some networking gear and radius configurations also makes it difficult to identify certificates issued to the particular device on the CA.