Common issues with Microsoft InTune


#1

This will be a running list of all common issues I have run access during Microsoft InTune implementations.
These issues or bad streamlined provisioning compared to other vendors such as MobileIron and AirWatch

  1. If you forget to assign an InTune license to a user, you WILL be still able to register the device into InTune and it will sync but no where in logs, InTune MDM app or InTune Azure portal will it tell you that configurations and applications aren’t pushing down because you forgot to assign a license to the user.
  1. Apple DEP sync is only allowed after 15 minute countdown completed

  2. Microsoft InTune support will not support, troubleshoot or help you to troubleshoot issues with native mail app, Gmail or any other third party email app that is not Outlook

  3. Very long delays with device “sync” check-in and information can take 5 to 10 minutes or more to update in InTune web portal on what device info, configurations are even updated and reporting back to InTune

Re: @Junaid

  1. The device check-in is every 15 minutes for the first 4 hours when a device is registered and then once every 8 hours.

  2. You can’t group devices together in a group easily. All profiles/configs/apps are assigned to groups of users. I had a scenario where each user had two iPads and each iPad was for a different role but I couldn’t send different profiles/settings to each device. Had to create a Category Tag and create a dynamic group based off of this tag and once the device was registered, I had to assign that device to the correct Category Tag to push different profile sets.

  3. Can’t force install a profile/app that you can easily do in other MDM solutions.

  4. Microsoft InTune do not have any policy to disable the location tracking for personal devices


#2

You can use conditional access address the problem above.

  • Assign licenses based on an AAD group
  • Create conditional access policy to block enrolment if user is not a member of this group

#3

The device check-in is every 15 minutes for the first 4 hours when a device is registered and then once every 8 hours.

A couple more things you can add

  1. You can’t group devices together in a group easily. All profiles/configs/apps are assigned to groups of users. I had a scenario where each user had two iPads and each iPad was for a different role but I couldn’t send different profiles/settings to each device. Had to create a Category Tag and create a dynamic group based off of this tag and once the device was registered, I had to assign that device to the correct Category Tag to push different profile sets.

  2. Can’t force install a profile/app that you can easily do in other MDM solutions.


#4

Microsoft do not have any policy available to disable the location tracking for personal devices