You plan to migrate to Intune? Then do this Cloud Native! Use the chance and get rid of your on-premises environment, maintenance of the infrastructure and move this responsibility to Microsoft. In this blog I want to explain what cloud native is and what Intune provides you to make your journey to a success. If you want to validate the provisioning part first, start with a Windows Autopilot test lab.
What is cloud native endpoint management?
Cloud native endpoint management refers to the approach of managing all your company devices such as laptops, tablets, and smartphones entirely through cloud-based solutions, rather than relying on traditional on-premises infrastructure. This method leverages the full potential of cloud services like Azure and Intune. It provides you with agility, scalability, and resilience of the cloud to manage your endpoints.
In a cloud native setup, the management operations, policies, scripts, and configurations are delivered over the internet, allowing IT administrators to manage and secure corporate resources remotely, independent of the company network. This approach supports a wide range of devices across different operating systems and geographic locations, enabling more flexible, agile, and comprehensive endpoint management.
Key benefits of cloud native endpoint management include:
- Scalability: Easily scales up or down to handle an increase or decrease in the number of devices without the need for physical infrastructure adjustments.
- Flexibility: You can manage devices from anywhere, at any time, as long as they have internet access. This opens doors for remote work and BYOD (Bring Your Own Device) use cases.
- Cost Efficiency: Reduces the need for costly hardware and dedicated IT resources for maintenance and remote network solutions. New versions and features will be rolled out without interaction. This lowers your overall IT costs.
- Security: Enhances security by consistently applying updates, policies, and patches across all devices, ensuring compliance, and reducing vulnerabilities.
- Resilience: Offers high availability and disaster recovery capabilities out of the box. This minimizes your downtime and data loss.
What does Intune offer?
What does Intune offer to make your journey to cloud native endpoint management a success? My answer is a lot. At the core of Intune, you can find everything needed to manage your devices securely and efficiently, like policies, app distribution, reporting, and much more. But besides the core features, you can also find the Intune Suite, which consolidates all the additional needs around device management into one license (single service licenses are also available). The Intune Suite provides capabilities for remote support, cloud PKI, in-app VPN, enterprise privilege management, and much more.
The combination of Intune Core + Intune Suite should cover most of your requirements for good device management. Besides Intune, you also have Azure, which helps you out with hundreds of different services to build, for example, custom solutions for reporting and automation.
Zero trust is key!
In the evolving landscape of cybersecurity, traditional perimeter-based security models are no longer sufficient due to the increasing risk of cyber threats and the expanding nature of corporate networks. For me a company network is more or less the same as the public internet.
The Zero Trust model changes how organizations secure their IT environments. This model operates under the principle of “never trust, always verify,” which ensures that security does not rely on the boundaries of the physical or network perimeter.
Principles of Zero Trust
Zero Trust security involves several key principles:
- Verify Explicitly: Every access request, regardless of where it comes from, must be fully authenticated, authorized, and encrypted before granting access.
- Use Least Privilege Access: Users are granted access only to the resources they need to perform their duties, and nothing more. This minimizes the potential impact of a breach.
- Assume Breach: This principle operates under the assumption that attackers could be both within and outside of the network. This means continuous monitoring and validation of all network and device activity.
Intune, for example, provides capabilities through compliance policies to check whether devices fulfill all the requirements the company has. These can be predefined policies or custom compliance scripts that run on a device, and based on the return value the policy check will be marked as compliant or not. These states can then be used as one factor in Conditional Access policies. These are granular access controls based on user identity, device compliance, location, and risk level. This ensures that only trusted devices and users can access sensitive resources.
If a connection to the on-prem network is really needed for a single app, you can also have a look at the Global Secure Access Gateway in Entra ID. This fully follows the Zero Trust principles and supports on-premises access in a cloud native world.
Advantages of a cloud native deployment
- Best for remote workers
- Deploy from anywhere
- Simplified management for all platforms
- Provide a secure Single-Sign-On (SSO) experience
- Secure access without passwords
- Seamless experience for documents, settings, and preferences
Key principles
- Try to have as few on-prem dependencies as possible.
- Question everything to see if it is really needed
- Don’t see blockers, see chances.
- Intune is not SCCM in the cloud. This means things work differently. Don’t complain about features that are missing.
- See it as a chance to clean up old things and rethink them in a new and modern way.
- Be creative there are always solutions.
- As mentioned above, with Intune and Azure you have a very loaded toolbox with unlimited possibilities to create solutions.
How to plan your cloud native deployment
There are two ways I see it. My recommended way is to start on the greenfield and set up a clean and fresh cloud-only environment. Enroll all new devices in Intune and keep the old ones in SCCM until all devices are replaced. The other way is to go co-management and shift workload by workload. This second way may bring additional complexity and cons. Once this decision is taken, start to make a clear plan for your solution design. This design should include things like naming conventions, a security and hardening concept, and also which additional cloud infrastructure and resources are needed to run your apps and services, and much more.
How to start and how to plan your project
Start with a Solution Design where you write down how your endpoint should look from an architecture point of view. You should have concepts for the naming of objects, design principles for your scripts, a security concept, and everything else that is important.
Once this is done you can set up a POC (Proof of concept) to check how this works in your environment with your requirements. This does not have to be the 100% implementation; it should only be a minimal setup for testing and getting a feel for it. Once this is done, you can continue with the configuration and the preparation of a pre-pilot with a very small group of IT-savvy people to get feedback.
Once this is done, you should start with a key component of the whole, and this is change management. You need change management for the end users but also for the IT folks, to enable your colleagues from other areas like network and security as well.
When you have a setup that is more final, you can start with a security review like penetration testing to make sure that the design you chose is as secure as possible. After this, you should start with a bigger pilot to get more feedback, fix the remaining stuff, and polish your setup. In parallel, you should make everything ready for the go-live (go-live preparation).
The last step is then the real go-live, and of course a constant task is continuous improvement. For this continuous improvement, you might also like this overview of analytics capabilities in Intune. If you want to go deeper into the security part, check out The ultimate MEM tour part 3 – Endpoint Security. If you want to start with the basics first, you might also like my Intune Quick Start Guide.