Sign in Subscribe

MDM: Intune falls short if you're managing more than e-mail.

MDM: Intune falls short if you're managing more than e-mail.
Microsoft Intune is great for small business use cases, but isn't ready for the enterprises.

The Mobile Device Management (MDM) software industry is helping organizations bring secure solutions, that allow employees to work from anywhere. A huge part of what brings users happiness and work-life balance in their life. The Ideal world of the "Digital Nomad" lifestyle, or just the ability to spend less time commuting, and more time with your Family.

Well, the mobile security industry is a big world, with the likes of Microsoft, VMWare, Ivanti, IBM, SOTI, ManageEngine, Citrix, JAMFPro, and many others participating. This article is going to dive into Microsoft Intune. Why is it so disruptive? This article will dive into why we should be overthinking Microsoft Intune.

It is often the case that customers are better prepared to understand the full scope of what’s actually possible if they know that even where Intune might fall short, they have a viable option in other MDM solutions.  One key point in particular, relates to the cloud performance, lack of features, multi-OS support, complicated configuration, hidden charges. Let’s dive in!

  • Licensing: Is it Free? I hate when people say anything in 2024 is "free". Look for yourself. From a business perspective, I can understand having certain features priced different. Not saying I like it, but I can understand it. Microsoft will offer Office365 E3 customers Intune App Protection(IAP) policies. Mobile App protection is not the same as MDM. IAP just is not enough, MAM is never a substitute for MDM. Microsoft enterprise customers are largely going with the M365 E3 or E5 licenses these days, but not every feature is included in the pricing structure on their website below. Add-0ns add up fast.

    Intune Suite pricing at $10 is steep for what you get out of it. It should be included in the core license structure. Features we already had in SCCM that we were told would be included in Intune in the future are now being sold to us at an increased price. (source: microsoft plans & pricing)

    Paying $2.5 dollars per month for a Certificate Authority(CA) for 5,000 devices is alot. You could in theory, hire a person to run a CA Server to setup the same service, do backups, recovery tests, support devices, add in the other servers and pay for the equipment basically every month for the same cost. This person would spend less than 5% of their work hours doing this.
Microsoft Intune Plans and Pricing
Get Microsoft Intune pricing and plans information. Find the right option for your organization to manage endpoints, help secure hybrid work, and protect data on any device.
New Microsoft Intune Suite helps simplify security solutions | Microsoft Security Blog
Today, we’re launching the Microsoft Intune Suite, unifying advanced endpoint management and security solutions into one simple bundle.
Microsoft Security BlogMichael Wallent
  • Regulatory Compliance & Audit Ready: With industry concerns around security, Intune lacks many of the regulatory & audit friendly security certifications accolades for their MDM offering. You should verify that on a feature by feature level, do they truly have support to help you meet regulatory compliance options.
  • Architecture & Performance: Intune's slow performance reputation is well documented throughout trade rag articles all over the internet & reddit worlds. Something to look for when doing MDM comparison is the ability to perform check-in's hourly, and SaaS platform updates be timely and efficient. Intune behaves like a monolithic SQL app and drags when screens load. It appears that Intune may have recently started to include charges for throughput for “check-in” type activity. There is no per-click usage charges from any other MDM provider for that matter. (source below)
Re: Extremely Slow Microsoft Endpoint Manager (Intune) Compliance for Jamf enrolled iOS Devices
Hello HFGuru, The document which you are referring is meant for devices managed by Microsoft Intune and not for devices which are managed by Jamf. In our scenario, we always run Inventory Update for end device to make sure Jamf has the latest and greatest inventory and Jamf then send the same to Int…
Jamf NationHFGuru
Intune Pricing: Is Microsoft Intune Worth It? — JumpCloud
Considering Microsoft Intune for your mobile device management (MDM) needs? This post provides an overview of Intune’s pricing options.
JumpCloudDavid Worthington
  • Cloud Architecture: MDM Comparisons on SaaS Cloud, On-premise, and Hybrid deployments matter to lots of Federal, SLED, Healthcare and Finance industries. Intune is SaaS only.
  • Delegated Administration & Device Partitioning: Intune falls short when it comes to support for delegated spaces and device groups to manage groups of users and devices in an intuitive way. 
  • Remote Viewing: Most MDM providers have some kind of Remote Help/Remote Viewer capability included in licensing, while Microsoft charges $48 per year for this.A scenario exisits that says that 1,100 users must license a feature, even if at most 100 users will need remote assistance at any given time. That means it looks like you'd pay nearly 35k a year for something that wont be used very much.
  • MAM is not MDM and MAM is not enough: Intune App Protection Policy is a Mobile Application Management (MAM) offering and not a Mobile Device Management(MDM) solution. The main difference here is the MDM has significantly more features and functionality such as webclips, provisioning profiles for in-house apps, certificates, and more...
  • Supply Chain: Devices are everywhere, not just the home & office. Intune cant help you if you need true inventory or supply chain solution, such as warehouse use cases, delivery drivers, and other field use cases. Zebra, honeywell, domino, and more... are not supported with Intune today.
  • Mobile Threat Defense (MTD) has been called out by compliance regulators such as CMMC, NIST, and even CJIS as requirements going into 2024. MTD Protecting against device, network, applications, and, ensuring a breach doesn’t happen such as successful spear phishing or social engineering tactics. Microsoft Defender requires Intune Company Portal, Microsoft Defender, & Microsoft Authenticator downloaded, installed & activated individually do not offer a single integrated application. This means the user experience is very choppy. It is also not friendly to Microsoft's On-Premise or Hybrid models. Device level threats like root and jailbreak detection require Intune and AAD for device compliance.

    Cost of MTD: Microsoft 365 A5/E5 or Microsoft 365 Security license
In 2023, Apple & Google Published a combined 931 vulnerabilities, while Kaspersky& Stackwatch reported they observed over 33.7 million attacks on mobile. Since 2011, the rate of users on mobile clicking on phishing links have grown 85% year over year.

MTD Sources include: Stackwatch, Kaspersky, Lookout, and zimperium reports on 2022 & 2023 industry data reports.

  • Ease of Use: Microsoft Intune, MEM/SCCM, Azure, and O365 portals are multiple complex management tools combined to provide Unified Endpoint Management, but that does not tryly appear to offer a single-pane-of-glass.
  • Conditional Access via IDP: Ask yourself, do users have to sign-in to every single app that you deploy? How can I make access to cloud SaaS applications easier? Do I have visibility into where users are logging in from, and who was allowed or blocked? These Access solutions can integrate with any Identity vendor such as Ping, Okta, Microsoft ADFS, Azure, Duo, etc. while Microsoft is specifically focused only Azure AD. The vendor lock-in is real. Access solutions exist in several other MDM industry companies.
  • Vendor Lock-In: Other best of breed MDM solutions support thousands of technology partner integrations, anything from cloud apps, SIEM, VPN, identity, data lakes, collaboration, security, and geo-fencing. While Intune encourages Microsoft vendor lock.
  • Mobile VPN: Microsoft's Tunnel capability is not as robust and is not included in the Intune license.
  • OS Diversification: Intune only offers light feature management features for operating outside of Windows and third-party apps, look for MDM platforms with more robust management capabilities for iOS, Android, Windows10/11, MacOS, tvOS, and ChromeOS, watchOS, Oculus, and other wearables.

In summary, anyone should be thoroughly evaluating Intune before you purchase. All kinds of MDM industry players will say they are the right choice for security-conscious customers who want a best-of-breed MDM solution with an intuitive admin experience, advanced use-case support, and a feature-rich solution. How true is all of that? It does not matter what MDM provider you look at, just make sure you are looking for things that may appear free and included, and what is coming at a premium. If you strictly want to manage email on devices, a lot of people see value in a "free" offering from Intune. I've also looked at Intune App Protection policies, and the user-experience is clean, but it falls short because its not enough to manage the container. Its not enough to just manage MS Outlook, PowerPoint, Excel, & Word. You cannot have good security if you cannot see all of the possible risks or threats on a user's device such as TikTok, WhatsApp, & more.

With the rise of Mobile Threat Defense requirements on the side of regulators, & a new era of high-profile data breaches, we should all be asking the question, is "some security" enough security.

Microsoft Intune may appear free, but the deployment and management difficulties, as well as the lack of integrated end-user experience, and full device management security makes it an expensive choice.

My opinions are my own...

About Author: Alex Mercer, Senior Sales Engineer Specialist at Ivanti, Inc, formerly MobileIron. Alex has direct experience with a wide variety of MDM providers, mobile threat tech, identity solutions, and certified apple & android expert.