QIT Solutions: Blog


Microsoft Endpoint Manager: An Introduction to the benefits it offers your business.

Microsoft Endpoint Manager makes it easier for administrators to manage mobile and desktop work environments with less work and time. It combines Intune and configuration manager to aid in device management and the security of devices and applications.

As businesses move to offer employees flexible workspaces in the office and out in the field, IT departments have had a hard time in the past consolidating hardware management using a single console.

Microsoft launched Intune Cloud Service in 2011 to address the emerging needs of enterprise mobility management. Then in 2019, it joined Configuration Manager to Intune unified endpoint management to come up with Microsoft Endpoint Manager (MEM).

As a result, MEM makes its Intune licensing available to configuration manager customers looking to migrate from on-premises management to the cloud. The two services now manage over 200 million devices, according to Microsoft.

Rebranding Intune as Microsoft Endpoint Manager initially caused confusion due to the tool’s overlapping features. However, companies that have used MEM now understand its full suite of capabilities.

Microsoft Intune, Windows Autopilot, System Center Configuration Manager, and Desktop Analytics are the main tools and services of MEM. Microsoft Intune is arguably the most popular and in-demand tool in MEM. It’s a cloud-based Unified Endpoint Management (UEM) and Mobile Device Management (MDM) platform.

What is Microsoft Endpoint Manager?

Microsoft Endpoint Manager or MEM is a cloud-based solution designed to address the challenges organizations face with deploying, securing, and managing enterprise devices. These include servers, computers, and mobile devices.

IT staff need a secure way to manage all the endpoint devices accessing an organization’s network. Therefore, they can use MEM to create policies for the use of personal devices to access an organization’s data and applications.

MEM features several different services that collectively enable the management of mobile, physical, and virtual devices throughout an organization. These services include:

  1. Microsoft Intune: It is Microsoft’s cloud-based solution for easy mobile device and application management. Admins can use it to configure and secure devices using Android, macOS, iOS, and Windows operating systems. They can also use it to deploy applications to managed devices.
  2. Co-management: It ties together Intune and Configuration Manager to designate either one as the management authority for the organization’s workload groups.
  3. Configuration Manager: Unlike Intune, that’s a cloud-based solution, Configuration Manager resides on-premises. Admins use it to deploy applications and manage server and PC updates.
  4. Windows Autopilot: It automates the deployment of new devices and can perform the initial setup and device configuration before enrolling it to Intune.
  5. Endpoint Manager Admin Center: It’s a web interface enabling admins to manage Endpoint Manager.
  6. Azure Active Directory: Endpoint Manager stores devices and user information in Azure AD. Normally, when an admin joins a device to an AD domain, it creates a computer account to represent the device.

How Does Microsoft Endpoint Manager (MEM) Work?

Device management has become more challenging and time-consuming in recent years. Users once worked mainly from tightly-managed and domain-joined desktops. However, today’s users work from multiple mobile devices.

Microsoft Endpoint Manager combines existing legacy solutions (primarily Configuration Manager) with modern device management capabilities. Below are ways that MEM helps administrators:

  • Helps with the provisioning of new devices: When a team member gets a new computer, MEM’s autopilot feature installs Windows onto the device, performs the initial configuration, and enrolls it into Intune. Thus, MEM automates the entire process saving the IT department time.
  • Assists Users who prefer using personal devices for work: Users have access to self-service portals where they can enroll their devices into Intune. MEM then verifies that the device adheres to the set compliance requirements before the user can start using it. The automated process leads to increased productivity and a better user experience since employees don’t have to wait for IT to approve and provision devices.
  • Helps organizations manage devices: MEM helps detect and automatically deploy security patches, allows admins to create security policies, and automatically applies them to devices to ensure secure configuration. For instance, an organization can put in place policies requiring all mobile devices to require password-protected lock screens or to enable firewalls on Windows devices. MEM can identify non-compliant devices and sometimes perform automatic remediation.
  • Saves administrators from installing applications manually: An enterprise application store avails approved apps to users when needed.

What Can Endpoint Manager Do?

Using Endpoint Manager’s console, IT can execute a Unified endpoint management (UEM) strategy to enable the onboarding of end users through any hardware platform. IT can apply governing rules and requirements for the type of applications and data users can access.

UEM uses mobile device management (MDM) APIs on mobile platforms for identity management, operational analytics, asset management, and wireless LAN management. In theory, MEM enables IT to remotely provision, secure, and control everything from desktops and laptops to tablets and smartphones from a single console.

Many of the basic app and system provisioning functions needed for business devices running Windows are now done via the OS’s enterprise mobility management (EMM) control consoles, enabled by Intune. Therefore, organizations using recent Widows PC deployments can access consolidated management tools and unified configuration and policy platforms via UEM.

For example, the integration of Endpoint Manager with Microsoft’s Azure AD and Information protection enables IT admins to classify emails and documents by applying access conditions. Also, the integration with Azure Data Protection allows admins to include watermarks on images taken with mobile devices, whether corporate or personal.

Why the Need for Microsoft Endpoint Manager

Endpoint Manager makes it easier for organizations to manage various devices to protect corporate data while still allowing users to work using corporate and personal devices. Therefore, it combines the capabilities of mobile device management and mobile application management while remaining tied to the Windows ecosystem, giving it access to other Microsoft products. Additionally, it can manage hardware running other OS including Android, iOS, and macOS.

Microsoft envisions the use of Endpoint Manager to manage cloud PCs, a vision it launched in mid-2021 as part of its Windows 365 venture.

Endpoint Manager allows traditional management tools to continue playing a key role in co-managing devices requiring routine lifecycle tasks like disk imaging. 2020 accelerated the adoption of cloud management and co-management of endpoints. With more companies moving to remote working conditions, the need for a reliable endpoint management platform has never been greater.

The bring-your-own-device (BYOD) fad resulting from Apple’s 2007 release of its iPhone saw hardware management shift away from a Windows-dominant reality to one that increasingly includes diverse operating systems such as Android and iOS.

The momentum behind unified endpoint management grows as users carry out more worker tasks on mobile devices due to the need for managing all user-facing devices via a single console.

How Endpoint Manager Benefits the Migration to Azure Active Directory (AD)

Azure Active Directory is a cloud-native service that Intune uses to manage the identities of devices, users, and groups. Therefore, the Intune policies an organization creates get assigned to these devices, users, and groups. Once devices are enrolled into Intune, users can sign in to their endpoint devices using their Azure AD accounts.

Organizations can opt for Azure AD Premium at an extra cost, which has more features. It helps protect devices, data, and applications, such as dynamic groups, conditional access, and automatic enrollment in Intune.

As organizations continue expanding their remote workforce, those that fail to adopt modern cloud solutions neglect essential tools that enhance mobility and productivity. They also put their corporate data at a high compromise risk. Traditional IT solutions like in-house data centers were geared towards work done in the office, not remotely.

The push for remote work and BYOD has seen more organizations decentralize their resources and move to cloud-based solutions like SaaS, IaaS, and PaaS. However, when it comes to user endpoint devices, Azure Active Directory and Endpoint Manager are the right solutions to help manage and secure corporate devices and data.

The benefits for an organization that embraces the cloud and uses Azure AD and Endpoint Manager for device and identity management include:

  • No servers to maintain, backup, or patch
  • Less IT overhead because there are no on-premises servers to manage
  • Centralized remote device management with Intune and Azure AD
  • No need for client VPNs since resources are cloud-based
  • Users can work from anywhere if they have an internet connection
  • Allows remote device patching and app deployments with Intune
  • Autopilot helps with the automatic provisioning of remote devices
  • Enables additional security controls like conditional access to protect corporate data
  • Device encryption with the decryption keys stored in Azure AD
  • Mobile application management capability for secure access to data on personal devices
  • Remote wipe capabilities for stolen and lost devices

When an organization considers moving from a local AD to Azure AD for device and identity management, it will end up with one of the following options:

  • A serverless environment with SaaS resources
  • Some servers maintain a local AD with cloud-managed endpoint devices
  • Some servers maintain AD while some solutions, Azure AD synchronizes user identities, and hybrid Azure AD joins the endpoints

The Bottom Line

Today’s organization faces increasing risk from a broad range of personal devices accessing their systems and networks, especially with the dawn of remote work environments. That’s where Microsoft Endpoint Manager comes in.

MEM is a full-featured platform and an enterprise-ready solution for managing internal, external, corporate-owned, and personally-owned devices. Microsoft Endpoint manager delivers a flexible platform to help organizations protect their data and manage their risk, especially when they don’t necessarily have full control.

At QIT Solutions, we help businesses save money, focus on what’s important, and work faster. We offer top IT support, managed services, and security solutions in Florida. Contact us today to help keep your business secure, online, and operational.

QIT Solutions

QIT Solutions set out to solve what was then a major problem for small businesses: having difficulty keeping up with their IT needs. We noticed that large corporations often had multiple employees specializing in different aspects of the industry and realized this approach would work well also among smaller organizations who might not be able to sustain such teams, but still require help managing an oversized workload. We provide a single resource for all your IT issues.