Covid-19 and the associated disruption has emphasised the need for organisations to have an agile method to onboard, secure, manage and monitor the devices being used.
Depending on the size and complexity of your institution, as well as the internal resources supporting your IT, you may be unsure of the options available and where to start. Your organisation may also be hesitant to create additional tasks for educators to perform.
However, if approached correctly, the process of building or refining your device management can be quick and simple while improving the security, visibility and safety of your devices, users and data.
How can a school build a device management strategy?
Every school, no matter the size and complexity, will issue devices to staff. You may also be providing devices for some students to use while learning remotely.
Failing to manage these devices means you are leaving the responsibility for security and management of each device to the user. That user could remove the need for a password to access the device, share the device with family and friends or download and install anything on to the device. Your organisation also cannot update devices, restrict activity based on user role, or remotely reset and wipe the device if it was lost or stolen.
However, while schools can appreciate the value, they may not have the internal resource to configure and manage devices, nor the budget to hire someone to do so. As a school, there are common requirements and use cases that generally apply, so rather than try to contend with more comprehensive, extensive and expensive device management platforms, the best solution is Microsoft Intune for Education.
Microsoft Intune for Education offers reduced complexity when compared to the full Intune experience. The simplified dashboard and option for quick setup means you do not need to be an experienced IT professional to configure and manage school devices.
Intune for Education comes with pre-configured policies tailored for the different users and groups traditionally using school devices. This means you can target devices based on whether they are used by faculty, educators, staff or students. As most schools need users to have a consistent experience across many devices, Intune for Education can integrate with your Student Information Management system, so apps and policies follow the user across devices.
Intune for Education is also extremely well priced, with a low per user per month cost. You can also take advantage of Microsoft’s Student Use Benefit, which entitles education organisations purchasing Microsoft licensing to receive to up to 40 student licenses for every staff license purchased. This means that you could license all students, just by licensing your staff across a range of Microsoft products and services, not just Intune for Education. You can also sign up for a free trial of Intune for Education here:
Can I manage Apple and Android devices in Intune for Education?
Most schools use Windows 10 devices for their staff and students, but it is common for there to be iPads in use across the estate.
Microsoft recognise that students may require different devices depending on the different stages in their development at school. And with the heavy use of iPads in early years environments, Microsoft has continued to invest in broadening the iOS device management capabilities in Intune for Education.
iPads can therefore be enrolled and managed in the Intune for Education portal, along with Windows 10 devices.
For your school to enrol and manage iOS devices in Intune for Education, these devices must be purchased through your Apple Education Account. You must also set-up a connection between Intune for Education and your Apple School Manager account.
Though the process of enrolling iOS devices does add a small amount of complexity compared to only enrolling your Windows 10 devices, once enrolled the management of both can be done in the same dashboard. Crucially, the pre-configured settings, policies, groups and use cases can be applied to your iOS devices as well.
However, if your school wishes to enrol and manage macOS (MacBook’s or iMacs) or Android devices, you will require the more extensive features found in the full Microsoft Intune experience.
What is the difference between Intune for Education and Intune?
Rather than schools spending a great deal of time and money enrolling and managing devices, Intune for Education offers an opportunity to enjoy a simpler and more focused approach to device management in an education setting.
Intune for Education therefore only makes available the settings and workflows that a school would typically need. This reduction in complexity means less time and money is required to deliver device management, while still addressing common scenarios such users sharing devices and integration with other Microsoft Education products like School Data Sync.
The full Intune experience offers a greater deal of granularity in the policies and settings that can be configured and deployed to devices. For Higher and Further Education organisations, it is likely to be the case that the full Intune experience would be more suitable.
Furthermore, you can only enrol Windows 10 and iOS devices in Intune for Education. For more complex IT estates that may need to enrol and manage macOS or Android devices, you will need the full device management experience found in Intune.
Should we manage our users' personal devices?
Covid-19 has shifted priorities and circumstance for every industry. The pressure for education has been to use the limited resources available to continue the provision of education for all students, especially those who are not able to attend on-site.
This has been dependent on the availability of personal devices. Use of personal devices provides great convenience and flexibility, but also opens up users and data to a number of threats. For schools, keeping staff, students and data secure online is of the utmost importance.
So how can you reconcile these competing motivations?
Mobile Device Management is possible for personal devices in Intune and this is known as Bring Your Own Device (BYOD). In BYOD, users enrol their personal devices in Intune, whereupon varying degrees of device management can be undertaken to secure access to corporate data, enforce corporate policies or segregate corporate data from personal data.
However, it is worth carefully considering the pros and cons of this approach. Taking a personal device under management in Intune may require the device to comply with a range of policies and settings that individuals may not wish to have set for them on their own device. Furthermore, this can create questions about what this means for privacy and control of personal data, which can ultimately dissuade users from using this feature.
To avoid this issue, you can utilise Mobile Application Management (MAM) in Intune, where your organisation is not managing the device, but instead manages the application that is being used to access organisation assets and data. Using MAM, you can permit or block the user in accessing assets based on whether they are using specific applications.
For example, you can require that Outlook must be used as the email client application to access corporate email, set conditional access policies to insist that the user must perform Multi-Factor Authentication every day, or prevent users from copying, pasting, printing or screenshotting in an application.
As the information within the application is containerised and separated from the personal data on the device, if that individual leaves the organisation in the future, Intune can securely and remotely log the user out of the app and wipe any corporate data from the personal device. This may also be useful if a personal device is lost or stolen.
However, there are also limits to the applications which will work with Mobile Application Management in Intune. Depending on the apps you would need to manage, the requirements of your users and their acceptance of enrolling their personal devices into device management in Intune, your organisation will need to decide on the best approach.
What if we already use Microsoft Configuration Manager (formerly SCCM)?
Some educational institutions may have already invested in Microsoft Configuration Manager (formerly known as SCCM) to manage their devices.
Configuration Manager is an on-premises management solution to manage desktops, servers, and laptops that are on your network or internet-based, as well as deploying apps, software updates, and operating systems.
While Configuration Manager offers lots of useful functionality, there are limits to the features available and the efficiency with which you can perform them.
Rather than replacing Configuration Manager, it may make more sense to add to it with Intune. This is what is known as co-management within Microsoft Endpoint Manager and you can do it without adding to your Configuration Manager licenses.
Microsoft Endpoint Manager is actually a consolidated selection of products and tools which can all be used in harmony to manage, monitor and secure all your devices, servers, virtual machines etc. Configuration Manager and Intune are two distinct component services within Microsoft Endpoint Manager.
Through co-management in Endpoint Manager, you can add to the existing features in Configuration Manager, with the cloud features in Intune, such as conditional access, restart, factory reset and modern device provisioning through Autopilot.
You can then choose whether Configuration Manager or Intune is the management authority for your different workloads.
If you are interested in learning more about the components of Microsoft Endpoint Manager and how to achieve an effective device management strategy, Core are currently delivering a range of workshops, some of which are Microsoft funded and at no cost to customers.
These workshops are tailored to your organisation to demonstrate how you can gain maximum benefit from your Microsoft investments, as well as providing actionable insights to your IT environments which can be used to form a business case, confidently select a solution or proceed with a project.
You can connect with me on LinkedIn or request a discussion with me through our website.
Core will also be delivering a joint webinar with Microsoft Education in March 2021, titled ‘The Three stages of Microsoft Device Management for Education; Providing, Managing and Securing devices during Lockdown’. Stay tuned to Core’s events page for the registration link.