Microsoft Intune (part of Microsoft Endpoint Manager) is an MDM and MAM platform that manages Windows, macOS, iOS, iPadOS, and Android devices. It's included in Microsoft 365 Business Premium—a license many Canadian SMEs already hold.
Despite being available, many businesses don't configure Intune at all, leaving devices unmanaged and compliance policies unenforced. Here's how to deploy Intune practically for a business of 20–150 employees.
What Intune actually does
Device enrollment registers devices in Intune, giving IT visibility and management capability. Enrolled devices can receive configuration policies, application deployments, and compliance checks.
Compliance policies define what a compliant device looks like: OS version ≥ a certain level, BitLocker encryption enabled, screen lock configured, antivirus running. Non-compliant devices can be flagged, notified, or blocked from accessing corporate resources via Conditional Access.
Configuration profiles push settings to devices: Wi-Fi profiles, VPN configuration, email account setup, browser settings. Configure once; deploy to hundreds of devices automatically.
App deployment pushes applications to managed devices silently. Deploying Microsoft 365 apps, Chrome, or a VPN client to every new Windows device without user interaction is a meaningful time saving.
Remote wipe allows IT to erase a lost or stolen device remotely—critical when a laptop with corporate data goes missing.
The enrollment options
Windows Autopilot is the recommended enrollment path for new Windows devices. You register device serial numbers with Intune; the user powers on the new PC, connects to the internet, and signs in with their corporate credentials; Autopilot automatically applies policies and installs applications. IT never needs to physically touch the device.
Azure AD Join (without Autopilot) works for existing devices. The user signs into Windows with their Azure AD account, the device joins Azure AD, and Intune enrollment happens automatically.
Bring Your Own Device (BYOD) via Company Portal — employees download the Intune Company Portal app and enrol their personal device. IT gets compliance visibility and can push corporate apps; IT does not get full device management (you can't wipe a personal device, but you can wipe corporate data on it).
Compliance and Conditional Access: the integration that matters most
Intune's compliance policies are most valuable when paired with Azure AD Conditional Access. The flow:
- Intune evaluates whether a device meets compliance policy
- Azure AD Conditional Access checks device compliance when users attempt to access resources
- Non-compliant devices are blocked from accessing Exchange, SharePoint, and Teams until they remediate
This means an employee running an out-of-date OS or with disk encryption disabled simply can't access corporate email until the issue is fixed. It's a policy enforced automatically, not a conversation you need to have.
Practical deployment approach for SMEs
Week 1–2: Enroll IT staff and test devices
- Enable Intune in your Microsoft 365 admin console
- Create a pilot compliance policy (reasonable thresholds—don't set OS requirements that immediately block 40% of your fleet)
- Enroll IT devices and validate the experience
Week 3–4: Deploy to the broader team
- Communicate the change to employees: what's being enrolled, what policies will apply, what IT can and cannot see on personal devices
- Enroll corporate devices; set up BYOD enrollment for personal devices
- Monitor compliance status and resolve issues
Week 5–6: Activate Conditional Access
- Enable the Conditional Access policy requiring compliant devices for email and SharePoint
- Start with "report only" mode to identify which devices would be blocked before enforcing
- Switch to enforce mode once compliance rates are acceptable
What Intune cannot do (and what fills the gap)
Intune is excellent for Windows and adequate for iOS/Android. macOS support has improved significantly but is less mature than Jamf for Mac-heavy environments.
For organizations with 30%+ Mac users, consider Jamf for Mac management alongside Intune for Windows and mobile. Both integrate with Azure AD for unified Conditional Access.
MicroPro deploys and manages Microsoft Intune environments for Canadian businesses. Our Endpoint Management service covers enrollment, policy configuration, and ongoing management.
MicroPro works with Canadian businesses on cloud, IT, and security. Book a free consultation.