Microsoft MDM Hero

Microsoft MDM Guide to Policies & Potential Problems

Microsoft MDM (Microsoft Intune) is a solution that many organizations had traditionally used to manage their always-on-the-go mobile phones. But now with Windows PCs also being always on the go, IT teams are looking at Microsoft Intune as a way to assist PCs too. Microsoft Intune is arguable the best MDM solution to for Windows domains as it seamlessly integrates with Microsoft Endpoint Manager, Microsoft Azure, and provides significant licensing benefits. Further, Microsoft Intune easily integrates into an organization and IT department that may already be using Microsoft Group Policy or Microsoft Configuration Manager.

The most common way to manage Windows 10 right now is on-prem Active Directory and Group Policy. But those tools were created in an on-prem era when workstations were permanently stationed on site and mobile laptops were the exception and not the rule. That is no longer the case as machines today are routinely used remotely. This pattern has only been accentuated by the standardization of remote work strategies in recent times.

It is highly challenging for organizations to manage Windows 10 machines using only Group Policy when they are offsite for weeks and months at a time. As such, Microsoft MDM solutions such as Microsoft Intune fill the gaps. But just like Group Policy, any MDM solution can only do so much. The following are some of the disadvantages of using an MDM solution:

  • Like Group Policy, Microsoft MDM cannot natively deliver settings to the vast majority of third-party applications.
  • Microsoft MDM offers rudimentary manageability over the Windows Start Screen, taskbar, and file associations.
  • Microsoft Intune cannot perform with multi-browser environments nor add dominion over multi-version Java environments.
  • Microsoft MDM enforces security baselines, but it cannot lock down user desktops in the manner necessary to combat ransomware and other types of attacks that continue to ravage enterprises, nor can it ensure compliancy.

Most importantly, however, in the same fashion that Group Policy can only manage domain-joined machines, Microsoft Intune is strictly limited to MDM-enrolled devices. While you can import some Group Policy settings using the OMA-URI, it is an arduous process that many admins choose to avoid. In that case, they are limited to what is built in to in the MDM solution, which typically comes up short in comparison to Group Policy.

PolicyPak Works with Microsoft MDM and Makes it Better

PolicyPak doesn’t replace Microsoft MDM (just as it doesn’t replace your existing Group Policy). It can, however, operate in harmony with Microsoft Intune provider, giving you the same granularity and control over MDM-enrolled computers that you get with Microsoft Group Policy, plus a whole lot more. When we say a whole lot more, we are referring to capabilities such as the following:

  • Performing true desktop automation
  • Blocking malware and zero-day threats
  • Elevating applications and bypassing UAC prompts with standard user rights
  • Reducing on-prem GPO sprawl by consolidating GPOs, then deploying those settings via MDM
  • Ensuring that critical websites open in the correct browser
  • Configuring and locking down settings for hundreds of commonly used applications

 

Frequently Asked Questions

If you have thought about using PolicyPak to elevate your MDM solution in order to give you super admin powers and total dominion over user desktops, you probably have some questions on how they interact with each other. Below are answers to some of the frequently asked questions about how these two systems work together.

Besides Microsoft MDM, What other kinds of MDM systems is PolicyPak compatible with?

PolicyPak is compatible with all major MDM solutions today including Microsoft MDM, VMware Workspace One, Citrix CEM, and MobileIron. You can watch videos on our website showing how PolicyPak can work hand-in-hand with any of these MDM services.

How do the policy settings that Microsoft MDM has in the box compare to what PolicyPak brings to the table?

Microsoft MDM has some of the Group Policy Administrative Template settings, but not all. PolicyPak has the complete gamut of Administrative Template settings as well as the complete package of settings contained within Group Policy Preferences. For instance, the screenshot below shows the setting categories contained within Computer Configuration > Windows Components.

Create Windows MDM profile

In contrast, PolicyPak Admin Templates Manager offers the complete array of setting categories within Windows components for both the Computer and User side, as shown below.

PolicyPak Admin Templates Manager

You can watch a video demonstration on our website showing how you can deliver Group Policy Admin Templates using your MDM service and PolicyPak. Because PolicyPak editors are built inside the Group Policy Management Editor, admins are already familiar with its policy creation process.

How can PolicyPak help me manage and secure applications I deploy to Windows 10?

PolicyPak enables you to create security and look-and-feel policies for over 500 applications. In the screenshot below, we are using PolicyPak Application Settings Manager to create a policy to manage JAVA settings.

Application Settings Manager

In doing so you can ensure applications are using the most secure protocols, preventing browsers from saving passwords and ensuring long, strong passwords for those application that require them. You can watch a video demonstration on our website showing how you can manage and lockdown settings for hundreds of commonly used enterprise applications on your Microsoft MDM-enrolled machines using PolicyPak.

What kinds of policy settings can PolicyPak export and use with PolicyPak MDM?

You can export of kinds of settings and deploy them using the Microsoft MDM solution. You can export the settings of a single policy or export all Administrative Template settings, any Group Policy Preferences settings, or a batch of Microsoft Security settings. In any case, it just takes a click of the mouse, as shown in the screenshot below. Once the settings are exported as an XLM file, use the PolicyPak Exporter Tool to wrap the file up into an MSI file and deploy it through your MDM provider as if you were installing any other MSI.

PolicyPak Preferences Manager

Will exported GP settings revert in same way when used with Microsoft MDM?

Yes, policy configuration settings items work and revert exactly like Microsoft’s Admin Templates Policy settings. Should the policy no longer apply, the involved settings revert back to their “Not Configured” value. You can also choose revert actions for specific application settings, as shown in the screenshot below.

PolicyPak Application Settings Manager Configuration Table

How is PolicyPak licensed with Microsoft Intune ?

You can use PolicyPak with Microsoft MDM when you are a PolicyPak Enterprise or PolicyPak Professional Customer. The number of computers you want PolicyPak to do work on is the number of licenses you need.

How does PolicyPak work?

PolicyPak works with the following criteria:

  • All Windows 10 machines require that you deploy the PolicyPak CSE to them (which is an MSI file deployed via your MDM solution).
  • All Windows 10 machines require a license. This is an MSI file deployed via your MDM solution.
  • Finally, exported Group Policy and PolicyPak settings are wrapped up as MSI and deployed to your machines. These are MSI files and deployed via your MDM solution.

See this video for a quick overview.

Where can I buy Jeremy’s book and learn more about Microsoft MDM?

You can purchase Jeremy’s book, MDM Fundamentals, Security, and the Modern Desktop, at any bookstore. For convenience, we have include a link to Amazon where you can purchase it immediately. Signed copies available at www.MDMandGPanswers.com/book.

Learn More about PolicyPak

With the rapid adaption of hybrid cloud architectures, there’s no doubt you need more than native Group Policy to manage BYOD equipment, mobile laptops, or desktops that permanently reside at remote workspaces. But MDM alone isn’t enough. That’s where PolicyPak comes in. PolicyPak augments MDM capabilities to give you the granular control over settings, applications, and security that you need today. You can access our PolicyPak support center to learn more about PolicyPak.

Jeremy Moskowitz

Founder & CTO, Microsoft MVP in Group Policy, Enterprise Mobility, and MDM

Jeremy Moskowitz founded PolicyPak Software after working with hundreds of customers with the same problem they couldn’t manage their applications, browsers and operating systems using the technology they already utilized.

Ready to Get Started? Register for Our Webinar.

Our PolicyPak Webinars explain everything you need to know to get started with the software. Once you've attended the webinar, you'll be provided a download link and license key to start a free trial.