device-management guide hero image

Help Guide for Simple Device Management with Microsoft Intune

7 min read

A practical guide to managing work devices with Microsoft Intune. Learn how to enforce security baselines, keep devices updated, and protect company data without drowning in complexity.

Written by CTC Editorial Editorial Team

Why Device Management Matters

When everyone worked in the office on company desktop PCs, security was simpler. Now your data lives on:

- Laptops that travel home

- Personal phones checking work email

- Tablets used at client sites

- Home computers for remote work

Device management (MDM/EMM) helps you:

- **Enforce security policies**: Require passwords, encryption, updates

- **Protect company data**: Remote wipe if lost/stolen

- **Manage applications**: Control which apps access work data

- **Stay compliant**: Meet security standards and regulations

- **Support remote work**: Configure devices without physical access

What Is Microsoft Intune?

Intune is Microsoft's cloud-based device management service. It's included with:

- Microsoft 365 Business Premium (£18.70/user/month)

- Enterprise Mobility + Security E3/E5

- Standalone Intune subscription (£6/user/month)

If you have Business Premium, you already have Intune—most businesses just haven't turned it on.

What Intune Can Manage

| Device Type | Management Level |

|-------------|------------------|

| Windows 10/11 | Full (company-owned), App protection (personal) |

| macOS | Full (company-owned), Limited app protection |

| iOS/iPadOS | Full or app-only |

| Android | Full or app-only |

| Linux | Limited |

Two Approaches: Full Management vs App Protection

Full Device Management (MDM)

**What it is**: Complete control over the device—settings, apps, updates, security.

**Best for**: Company-owned devices, employees who consent to manage personal devices.

**What you can do**:

- Enforce encryption

- Require PIN/password

- Control which apps can install

- Push company apps automatically

- Remote wipe entirely

- Configure Wi-Fi and VPN automatically

**Limitations**: Users must enroll devices, consent to management.

App Protection Policies (MAM)

**What it is**: Protects company data within specific apps, without managing the whole device.

**Best for**: Personal devices (BYOD), users uncomfortable with full management.

**What you can do**:

- Require PIN to open work apps

- Prevent copy/paste from work to personal apps

- Block screenshots in work apps

- Wipe only work data (personal data stays)

- Require device security checks

**Limitations**: Less control, only works with supported apps (Outlook, Teams, Office).

Practical Recommendation

| Scenario | Approach |

|----------|----------|

| Company-owned laptops | Full MDM |

| Company-owned phones | Full MDM |

| Personal phones accessing email | App protection |

| Personal laptops (occasional use) | App protection |

| Contractors/temps | App protection |

Getting Started with Intune

Prerequisites

1. **Microsoft 365 Business Premium** (or Intune license)

2. **Azure AD** (included with Microsoft 365)

3. **Global admin access** to configure

Step 1: Enable Intune

1. Go to **Microsoft 365 Admin Centre** → **Setup**

2. Look for "Secure your organization" or "Device management"

3. Or go directly to **endpoint.microsoft.com** (Intune admin centre)

Step 2: Set Up Auto-Enrollment (Windows)

For company-owned Windows devices to auto-enroll when users sign in:

1. **Intune admin centre** → **Devices** → **Enroll devices** → **Automatic Enrollment**

2. Set **MDM user scope** to "All" or select groups

3. Devices auto-enroll when users sign in with work account

Step 3: Create a Compliance Policy

Compliance policies define minimum security requirements:

1. **Devices** → **Compliance policies** → **Create Policy**

2. Choose platform (Windows, iOS, Android, macOS)

3. Set requirements:

- Require encryption

- Minimum password length

- Require up-to-date OS

- Require antivirus (Windows)

**Recommended Windows compliance settings**:

- Require BitLocker: Yes

- Require password: Yes

- Minimum password length: 8 characters

- Require antivirus/antispyware: Yes

- Firewall: Required

Step 4: Create a Configuration Profile

Configuration profiles push settings to devices:

1. **Devices** → **Configuration profiles** → **Create profile**

2. Choose platform and profile type

3. Configure settings

**Essential Windows settings to configure**:

- BitLocker encryption (enable automatically)

- Windows Hello for Business (PIN/biometric login)

- Microsoft Defender settings

- Windows Update settings

- Firewall configuration

Step 5: Set Up App Protection (For BYOD)

Protect work data on personal devices:

1. **Apps** → **App protection policies** → **Create policy**

2. Choose platform (iOS/Android)

3. Select apps to protect (Outlook, Teams, OneDrive, Office apps)

4. Configure data protection:

- Prevent "Save As" to personal storage

- Require PIN to access apps

- Block copy to unmanaged apps

- Encrypt app data

Security Baselines: The Quick Win

Microsoft provides pre-configured "security baselines"—best-practice settings tested and recommended:

1. **Endpoint security** → **Security baselines**

2. Choose baseline (Windows 10/11, Edge, Defender)

3. Create profile and assign to devices

**What baselines configure**:

- Password policies

- Lock screen settings

- Browser security

- Defender settings

- Network protection

- Attack surface reduction

For most small businesses, **applying security baselines with minimal modification** is the fastest path to good security.

Conditional Access: Adding Intelligence

Conditional access goes beyond "allow or deny" to context-aware decisions:

**Example policies**:

1. "Require MFA when accessing from outside the office"

2. "Block access from non-compliant devices"

3. "Require managed app on mobile devices"

4. "Block access from risky sign-ins"

Setting Up Basic Conditional Access

1. **Azure AD** → **Security** → **Conditional Access** → **New policy**

2. **Users**: All users (or specific groups)

3. **Cloud apps**: All cloud apps (or Microsoft 365)

4. **Conditions**: Device platforms, locations, risk levels

5. **Grant**: Require compliant device, or require app protection

**Essential policy for small business**:

- Name: "Require compliant device for company apps"

- Users: All users

- Apps: Office 365

- Grant: Require device to be marked compliant

- This ensures only devices meeting your compliance policy can access data.

Common Scenarios

Scenario 1: Lost Laptop

1. **Intune admin centre** → **Devices** → Find the device

2. **Remote actions** → **Wipe** (full wipe) or **Retire** (remove company data)

3. Device is wiped on next internet connection

4. BitLocker encryption means data is protected even before wipe

Scenario 2: Employee Leaves

1. **Disable Azure AD account** (standard offboarding)

2. **Retire device** from Intune (removes company data)

3. Or **Wipe device** if company-owned

4. Personal apps and data stay (if BYOD with app protection)

Scenario 3: New Employee Starts

1. **Give them a company laptop**

2. **They sign in** with their new Microsoft 365 account

3. **Device auto-enrolls** in Intune

4. **Policies apply** automatically

5. **Company apps install** automatically

Scenario 4: Employee Uses Personal Phone for Email

1. **They install Outlook** from app store

2. **Sign in** with work account

3. **App protection policy** applies automatically

4. **Work data is protected** in Outlook

5. **Personal device stays personal**—no full management needed

Alternatives to Intune

If you're not on Microsoft 365 Business Premium:

Jamf (macOS/iOS)

**Best for**: Apple-focused businesses

**Pricing**: From £3/device/month

**Pros**: Best-in-class Apple management

**Cons**: Windows/Android requires separate solution

Google Endpoint Management

**Best for**: Google Workspace users

**Pricing**: Included with Google Workspace

**Pros**: Integrated with Google ecosystem

**Cons**: Less powerful than Intune

JumpCloud

**Best for**: Cross-platform, cloud-native businesses

**Pricing**: From £8/user/month

**Pros**: Directory + device management combined

**Cons**: Less deep than platform-specific tools

Kandji (macOS/iOS)

**Best for**: Mac-heavy environments

**Pricing**: From £5/device/month

**Pros**: Modern, automated Apple management

**Cons**: Apple only

Getting It Right: Best Practices

Start Simple

Don't try to configure everything at once:

1. **Week 1**: Basic compliance policy (encryption, passwords)

2. **Week 2**: Security baselines for Windows

3. **Week 3**: App protection for mobile

4. **Week 4**: Conditional access basics

5. **Ongoing**: Refine and expand

Test Before Deploying

1. Create a test group with a few volunteer devices

2. Apply policies to test group first

3. Verify everything works correctly

4. Expand to full organisation

Communicate With Staff

Device management can feel intrusive. Explain:

- What you're protecting (company data)

- What you can see (device compliance, not personal photos)

- What you can do (remote wipe work data)

- What you can't do (read personal messages)

Have a BYOD Policy

If allowing personal devices, document:

- What's required (app protection enrollment)

- What's protected (work data only)

- What's visible to IT

- What happens when they leave

- Minimum device requirements

Authority Resources

- **Microsoft Intune Documentation**: [docs.microsoft.com/mem/intune](https://docs.microsoft.com/mem/intune/)

- **Microsoft Security Baselines**: [docs.microsoft.com/windows/security/threat-protection/windows-security-baselines](https://docs.microsoft.com/windows/security/threat-protection/windows-security-baselines)

- **NCSC End User Device Security**: [ncsc.gov.uk/collection/end-user-device-security](https://www.ncsc.gov.uk/collection/end-user-device-security)

- **NCSC BYOD Guidance**: [ncsc.gov.uk/collection/device-security-guidance/bring-your-own-device](https://www.ncsc.gov.uk/collection/device-security-guidance/bring-your-own-device)

Your Intune Setup Checklist

**Preparation**

- [ ] Confirmed Microsoft 365 Business Premium license (or Intune)

- [ ] Identified which devices to manage

- [ ] Decided on full management vs app protection approach

- [ ] Created test group of pilot users

**Basic Setup**

- [ ] Enabled automatic enrollment

- [ ] Created compliance policy

- [ ] Applied security baseline

- [ ] Set up app protection policy for mobile

**Security Enhancement**

- [ ] Configured conditional access policy

- [ ] Enabled BitLocker enforcement

- [ ] Set up Windows Update policies

- [ ] Configured Defender settings

**Operational**

- [ ] Documented procedures (lost device, offboarding)

- [ ] Communicated policy to staff

- [ ] Tested remote wipe procedures

- [ ] Set up compliance reporting

Getting Started This Week

**Day 1**: Verify you have the right licenses, access Intune admin centre

**Day 2**: Create a basic compliance policy, test on one device

**Day 3**: Apply Windows security baseline to test group

**Day 4**: Set up app protection policy for iOS/Android

**Day 5**: Create conditional access policy requiring compliance

**Week 2**: Expand to all users, document procedures

Device management doesn't need to be complex. Start with the basics—encryption, passwords, updates—and build from there. Intune makes enterprise-grade security accessible to small businesses, and if you have Business Premium, you're already paying for it.

Frequently Asked Questions

Can I manage personal phones without seeing personal data?

Yes. App protection policies (MAM without enrollment) only manage company data within specific apps like Outlook and Teams. IT can't see personal photos, messages, or apps. You can wipe only work data, leaving personal content intact.

What happens when someone enrols their device?

For company devices (full MDM): security policies apply, required apps install, settings configure automatically. For personal devices (app protection only): work apps require additional security, but the device itself isn't managed.

Do users know when I remote wipe a device?

For full wipe: the device resets and shows setup screen—they'll definitely know. For retire/selective wipe: work apps are removed and data deleted, but personal apps stay. The user sees work apps disappear.

What if I don't have Microsoft 365 Business Premium?

You can buy standalone Intune licenses (around £6/user/month), or use alternatives like Google Endpoint Management (with Google Workspace), JumpCloud, or platform-specific tools like Jamf for Apple devices.

Is this difficult to set up?

Basic setup is straightforward—Microsoft has simplified it significantly. Applying security baselines takes minutes. Advanced configurations (complex conditional access, custom profiles) require more learning. Start simple and expand as needed.

About the Author

CTC Editorial

Editorial Team

The Compare the Cloud editorial team brings you expert analysis and insights on cloud computing, digital transformation, and emerging technologies.

Back to All Articles