Browse all topics
All guidesGlossary
Microsoft 365 essentials

Microsoft Intune and device management

Intune is Microsoft's cloud endpoint management service — what it manages, how policies work, and where it fits in Microsoft 365.

Microsoft Intune is the cloud endpoint management service in Microsoft 365. It enrolls devices, pushes policies and applications to them, and reports on compliance — all from a browser-based admin centre, with no on-premises servers to maintain.

What Intune manages

  • Windows 10/11 desktops and laptops, joined to Entra ID and enrolled in Intune.
  • macOS devices, via Apple Business/School Manager and Intune.
  • iOS and iPadOS devices.
  • Android devices, including dedicated kiosks and frontline-worker scenarios.
  • Linux has limited support, focused on compliance attestation.

You can manage corporate-owned devices end-to-end ("MDM" — mobile device management) and partially manage personal devices through app-level controls ("MAM" — mobile application management) so personal data stays out of IT's reach.

What policies do

  • Configuration profiles push settings: Wi-Fi, VPN, certificates, browser policies, Windows Update settings.
  • Compliance policies define what "healthy" means — disk encrypted, OS up to date, antivirus running — and feed that signal into Conditional Access.
  • App protection policies govern how corporate apps behave on personal devices: no copy-paste into personal apps, PIN required, remote wipe of corporate data.
  • App deployment installs and updates Microsoft 365 Apps, Edge, line-of-business apps, and Win32 packages.
  • Endpoint security ties into Defender for Endpoint for EDR and attack surface reduction.

Intune and Conditional Access

The signal Intune publishes — "this device is compliant" — is the single most useful input to Conditional Access. A typical policy: only let users into corporate apps if they're signed in with MFA from a managed, compliant device. This pattern, often called zero-trust device posture, is the main reason organisations adopt Intune.

Licensing

Intune is included with Microsoft 365 Business Premium, E3, E5, F3, and as a standalone product. It's also part of the Enterprise Mobility + Security (EMS) SKU. The Plan 2 add-on and Intune Suite unlock advanced features like remote help, endpoint privilege management, and specialty device management.

For Microsoft 365 customers, Intune is the natural and increasingly the only sensible answer for managing endpoints alongside the rest of the stack.