SCCM v Intune Showdown

sccm

If you’re an SCCM Administrator you’ve likely heard of InTune and might be wondering when to use it.

In this post, we’ll cover how SCCM and Intune are able to manage Windows 10 full desktop computers (including laptops and Windows tablets like the Surface or Surface book.)

If instead you’re wondering about managing the Surface RT, lol, enjoy your metro cutting board.

Best use for a Surface RT in 2016

To understand where InTune really shines, let’s think of where SCCM works best:

  • known and defined network infrastructure
  • well connected end-point devices (less of an issue today)
  • standardized hardware models
  • standardized, company owned hardware
  • Active Directory Domain (all SCCM servers must be domain members)
  • Managed machines are either domain joined, or need certificates (certs =PKI =Even more infrastructure and configuration)
  • Wonderfully powerful imaging capabilities

It becomes pretty obvious, SCCM is for the big enterprise,  which its also expensive and has some serious requirements.

Now, let’s contrast this to the management story we have from Intune:

  • No requirement for local hardware or infrastructure
  • No on premises Active Directory requirement
  • Works very well with Azure AD
  • Works great with user owned and heterogeneous devices
  • Literally zero imaging options

For the rest of this post, I’ll list the big capabilities of an Enterprise Client Management tool and contrast how each of these tools perform at that task, we’ll cover: Continue reading

Advertisements

Conditional Access with SCCM and InTune

The Question

How does InTune Conditional Access Policy affect devices in the field?  (e.g. Bob’s phone already has a manually configured mail profile.  What happens to Bob’s e-mail when I enforce Conditional Access (i.e. saying a user must have InTune to receive e-mail?))

The Background

Consider this: A company with ~1000 mobile devices. They roll out InTune with SCCM and get it installed on 90% of devices in the field, and use it to push e-mail profiles to devices using Conditional Access.

However, 10% of the devices don’t have InTune, but still have manually configured e-mail profiles, using either the built-in mail client (Exchange Active Sync or EAS) or the Outlook application.

The company wants to lock down mobile e-mail to only those with a healthy device, one with security policies being enforced. If you’ve got SCCM w/ InTune installed, you just go to the Microsoft Intune portal at (manage.microsoft.com) to enable Conditional Access. Continue reading

InTune – Don’t forget this important e-mail setting!

On a recent InTune deployment, we had a requirement to force encryption and security on mobile devices and also provision mail profiles as well.

During the pilot, we heard informal reports that a user thought they couldn’t send a photo using their company e-mail after migration, but we found this hard to reproduce.

However, during the production roll-out, we discovered that users were unable to add attachments using their InTune configured mail account.

Note that this was an ConfigMgr w/ InTune deployment, and the affected devices were mostly iOS and Android devices.

How do I fix this?

You control this setting from ConfigMgr, so launch the console. Continue reading

Solved: iOS Devices can connect via InTune, but not Android

We had a big issue at a client recently, which was quite a bear to solve.  They used ADFS with On-premise SSO (meaning that they didn’t use DirSync to push passwords into Azure AD/Office 365), so when clients come to authenticate over the web via the Company Portal App, they were referred to our on-prem ADFS for authentication.

This worked fine for our iOS and Windows Devices, no issues at all!  But then when we tried to use Android devices, they would be presented with the following error message:

The Symptom

"Cool, I'll call the IT admin, OH SHIT that's me!"
Could not sign in. You will need to sign in again. If you see this message again, please contact your IT Admin.

Don’t you love those messages that tell you to contact yourself? Continue reading