Common issues & limitations of Microsoft InTune


#1

This will be a running list of all common issues I have run access during Microsoft InTune implementations.

  • If any information has changed since being publishing of this article please let me know so it can be updated

These issues or bad streamlined provisioning compared to other vendors such as MobileIron and AirWatch

  1. If you forget to assign an InTune license to a user, you WILL be still able to register the device into InTune and it will sync but no where in logs, InTune MDM app or InTune Azure portal will it tell you that configurations and applications aren’t pushing down because you forgot to assign a license to the user.
  1. Apple DEP sync is only allowed after 15 minute countdown completed

  2. Microsoft InTune support will not support, troubleshoot or help you to troubleshoot issues with native mail app, Gmail or any other third party email app that is not Outlook

  3. Very long delays with device “sync” check-in and information can take 5 to 10 minutes or more to update in InTune web portal on what device info, configurations are even updated and reporting back to InTune

Re: @Junaid

  1. The device check-in is every 15 minutes for the first 4 hours when a device is registered and then once every 8 hours.

  2. You can’t group devices together in a group easily. All profiles/configs/apps are assigned to groups of users.

  • I had a scenario where each user had two iPads and each iPad was for a different role but I couldn’t send different profiles/settings to each device.
  • Had to create a Category Tag and create a dynamic group based off of this tag and once the device was registered, I had to assign that device to the correct Category Tag to push different profile sets.
  1. Can’t force install a profile/app that you can easily do in other MDM solutions.

  2. Microsoft InTune do not have any policy to disable the location tracking for personal devices

  3. Intune locks you into the Microsoft stack
    • Not part of iOS AppConfig Community, only major UEM not a member of AppConfig Community (22 UEM members https://appconfig.org/members/)
    • Locking you into Azure AD
    • Almost solely focused on securing Microsoft apps – tiny non Microsoft ecosystem

  4. Microsoft does not have a consistent strategy for securing Android or macOS
    No Android Work Managed, COSU and limited
    • macOS (majority of additional non Apple standard management provided by JAMF integration)
    • Microsoft UEM offering has major gaps
    • No Android(Zebra) Task Workers Support

  5. Microsoft Intune is missing the security basics?
    • Auto-quarantine for devices with malicious apps
    • Security against Sloppy and Parasite apps
    • No App Specific Tunnels eg Per-App-VPN (Requires 3rd party VPN)

  6. Deployment
    − Cloud only. Not a viable option for organizations that require an on-premise EMM secure solution
    − No gateway like Servers for access control or data-in-transit security

  7. Content Management

  • Content managed only if stored within Office 365 apps or SharePoint Online/OneDrive Cloud
  1. Gartner 2017 & 2018 EMM Magic Quadrant Comments
    • InTune not listed in the Leaders quadrant and was dropped in the critical capabilities for 2nd year in a row. Called out for lack of support for 3rd party IT systems, including IAMs.

  2. Lacks Security Certificates for UEM (Can’t deliver government grade solution or validated encryption)

  • FIPS 140-2
  • Common Criteria MDM PP
  • FedRAMP
  1. Lacks Security Automation for Device Compliance
  • Can’t protect all your data if the device is compromised
  • Requires manual compliance: non-Office business data stays on a compromised device until IT takes a manual action
  1. Lacks Mobile Threat Detection
  • Can’t detect and remediate device, network and app threats
  1. Lacks Conditional Access Outside Microsoft Cloud
  • Can’t stop untrusted apps from accessing business data
  • Microsoft only focused on Microsoft Services
  1. Lacks rich ecosystem
  • After 40+ months of ISV recruiting only 11 app ISV’s (13 apps) (Acronis Access, Adobe Reader, Box, Sharefile, Workspace One etc)
  • Only 10 backend ISV’s (Checkpoint, Cisco, Citrix, Jamf, Lookout, Symantec, TeamViewer, Zimperium etc)
  1. Lacks track record of technical maturity
  • Ongoing field feedback about:
    • Complexity of mobile app SSO
    • Android & Google Play integration
    • App wrapping reliability
    • macOS capability
  1. Choose InTune if Security is not a priority and you never deploy non Microsoft Services

  2. Microsoft Word, Excel and Skype for Business does NOT have an Android app config option to push the users UPN (email address), it only has 1 config option (com.microsoft.intune.mam.AllowedAccountUPNs)

@daniil_michine
23. It looks like Microsoft Edge for Android does not honour app configuration to configure bookmarks.

  1. PKCS certificate profile only allows the certificate CN to be burned with a common name or email address. This limits compatibility with some networking gear and radius configurations also makes it difficult to identify certificates issued to the particular device on the CA.

#2

You can use conditional access address the problem above.

  • Assign licenses based on an AAD group
  • Create conditional access policy to block enrolment if user is not a member of this group

#3

The device check-in is every 15 minutes for the first 4 hours when a device is registered and then once every 8 hours.

A couple more things you can add

  1. You can’t group devices together in a group easily. All profiles/configs/apps are assigned to groups of users. I had a scenario where each user had two iPads and each iPad was for a different role but I couldn’t send different profiles/settings to each device. Had to create a Category Tag and create a dynamic group based off of this tag and once the device was registered, I had to assign that device to the correct Category Tag to push different profile sets.

  2. Can’t force install a profile/app that you can easily do in other MDM solutions.


#4

Microsoft do not have any policy available to disable the location tracking for personal devices


#5

#6

It looks like Microsoft Edge for Android does not honour app configuration to configure bookmarks.


#7

PKCS certificate profile only allows the certificate CN to be burned with a common name or email address. This limits compatibility with some networking gear and radius configurations also makes it difficult to identify certificates issued to the particular device on the CA.