Microsoft Intune Terminology

-

While the general concepts for device management are consistent across management solutions terminology can at times be different and generate confusion for new administrators and users. The below lists common terminology and acronyms in Intune that administrators often need some clarification.


Conditional Access: Microsoft’s Zero Trust policy engine that uses if-then statements to grant users access to resources based on signals from various sources. For example, a user must be on an enrolled and compliant device to access email.

User: A User account in Entra (Entra ID). This account could exist only in the cloud, or it can be synchronized from on premises Active Directory.

Device: A device object in Entra (Entra ID). This is the registration record that is created when a device is added to the directory.

Assigned group: A Group in Entra (Entra ID) with users or devices directly added to it.

Dynamic group: A Group in Entra (Entra ID) who’s members are added via querying one or more attributes. The administrator must select if the group will be users or devices during the initial creation.

Assignment: The process of targeting an Intune policy or object to a group. For example, “assigning Word to the accounting group”.

Filter: Filters are a targeting feature in Intune that allows administrators to narrow the assignment the scope of a policy assignment using additional attributes. For example, and administrator might assign Word to accounting users, and then use a filter to limit it to corporate only devices.

Device Categories: An Intune feature that allows and administrator to assign a label to a device to help categorize the device. This category can then be used to help with targeting and/or reporting.

App Protection Policy: App Protection policies provide Mobile Application Management (MAM) polices to Intune SDK enabled applications. App protection policies (APP) are rules that ensure an organization's data remains safe or contained in a managed app.

App configuration policies: App configuration policies allow administrators to send configuration information to applications on devices. For example, configuring the database server for a mobile application.
 
Policy Sets: An Intune feature that allows an administrator to create a virtual bundle of objects (apps, policies) and make a single assignment for these objects. For example, creating an Accounting Devices policy set and then selecting all of the apps and settings for the accounting department. 

App Selective Wipe: An Intune feature that allows an administrator to send a wipe command to applications with an active App Protection Policy. This is supported with or without device management.  

Microsoft Tunnel Gateway: Microsoft Tunnel is the first party VPN solution from Microsoft for mobile devices.

Roles: Roles defined permission sets within Intune that grant users the ability perform actions in Intune. They are the foundation for Role Based Access Control (RBAC) and delegated managed in Intune. Roles are used to determine what actions a administrator can take, and on what objects.

Scope tags: Scope Tags are used to filter what objects an administrator can see in Intune. Scope tags are created and then assigned to administrators and then objects in Intune. Administrators can only see objects with matching scope tags. For example, if I create an accounting scope tag and assign it to all accounting related objects, they cannot be seen by an administrator who doesn’t have the accounting scope tag assigned to them.

Diagnostic settings: Intune supports sending logs to Azure Monitor for storage and advanced reporting. Diagnostic settings are where administrators configure integration between Intune and Azure Monitor.

Terms and conditions: An Intune feature that presents users enrolling devices with the Terms and Conditions for enrolling devices and accessing company resources.



Comments

Post a Comment

Popular posts from this blog

Compare Entra ID and Active Directory Domain Services (AD DS)

-
Image
  Active Directory Domain Services (AD DS) True directory service, with a hierarchical X.500-based structure Uses organizational units (OUs) and Group policy Objects (GPOs) for management Can be queried and managed through Lightweight Directory Access Protocol (LDAP) calls Primarily uses Kerberos for authentication Include computer objects, representing computers that join an Active Directory domain Uses Domain Name System (DNS) for locating resources such as domain controllers AD DS uses trusts between domains for delegated management Microsoft Entra ID Primarily an identify solutions that is designed for internet-based applications There are no OUs or GPOs Uses HTTP and HTTPS protocols such as SAML, WS-Federation, and OpenID Connect for authentication Includes federation services, and many third-party services are federated with and trust Microsoft Entra ID
Read more

How App Protection Policies Work in Intune

-
Image
 As a user logs into APP enabled applications Intune automatically delivers policy targeted to users and then applies the settings specific by the administrator. Most often policies include securing access through Biometric/PIN, encrypting data, and check to see that the device is secure. User’s personal data is also separated from their corporate data. Because of its architecture, APP can be deployed easily in either scenario. As a new user logs into the app, they’ll automatically receive policy before they use the application, and your existing users will also start receiving policy as they open and use protected apps. Finally, the applications can still be securely wiped, and corporate data removed using the same types of processes in you use today. Admins can trigger the wipe from the console, or it could be triggered automatically when a user’s account is disabled. In both scenarios the user’s personal data will remain intact when the wipe occurs.  
Read more