Microsoft Intune provides options to deploy and manage mobile OS updates, across both Apple and Android devices.
Not so long ago, the updating of operating systems on mobile devices was largely left to end users to implement - and for many organisations this is still the case today.
As you can imagine relying on end users to implement a OS update has mixed outcomes. What's more organisations will have little visibility of whether or not it has occurred.
This has implications for the security of the device, security of data, security of the corporate network, and productivity of end users.
Microsoft Intune has solved this problem for IT teams by providing visibility of all devices enrolled in the platform, and delivering granular control of OS update deployment.
Microsoft Intune provides two main options to control mobile OS updates:
The mobile OS update features within Intune allow IT admins to enforce the installation of platform updates but how this is achieved differs for iOS/iPadOS versus Android devices.
For iOS and iPadOS devices, Intune can manage platform updates by creating an Update Policy or by utilising Device Restrictions, or a combination of both.
Intune provides management options for supervised devices that have been enrolled in Apple Business Manager. Intune can create an update policy that controls the automatic installation of platform updates. This enables an Intune admin to configure the software update that the device will install and the time that the device should install it.
Source: Microsoft
Administrators can stop users from installing updates on their own with a device restriction policy that controls the deferral of software updates. This can ensure a single version of the OS or software is maintained across the entire mobile fleet.
This Intune mobile update policy requires a combination of two settings named Defer software updates and Delay visibility of software updates within the General section of a device restrictions policy.
The two settings in tandem enable the Administrator to configure when a new software update will be available for the user by providing a deferral period of up to 90 days.
For Android devices, Intune provides a mobile OS management option for corporate-owned devices: fully managed, dedicated and corporate-owned work profile devices. This option is a device restriction policy, which controls the installation of over-the-air updates that are available for the mobile device fleet.
This is a single setting named System update in Intune, within the General section of a device restrictions policy, and it enables mobile administrators to configure when the Intune should push out the system updates.
Administrators must choose among the Device Default, Automatic, Postponed and Maintenance window depending on their mobile updating needs. The availability of the system updates still depends on the mobile device manufacturer.
For Samsung devices, there is also the choice of utilising Knox E-FOTA which gives granular control over what OS version to deploy. E-FOTA is part of the Knox security suite and can be integrated with Intune.
Microsoft Intune provides multiple options to subtly force a user to install the latest platform update on iOS, iPadOS and Android devices.
These Intune OS update options focus on closing the doors to an organisation's data when a device is not running a specific minimum version of a platform or software product.
IT admins can use enrollment restrictions to ensure that mobile devices are running a minimum OS platform version. When a mobile device is running an older version of a platform, the device will be unable to enroll in Intune.
Device compliance policies can be used to enforce the minimum version of the platform on the mobile device. When a mobile device is running an older version of a platform, the user can be prevented from accessing any of the organisation's apps and data.
IT admins can also use mobile app protection to control access to an organisation's data. IT can protect a mobile business application with several different Intune patching controls, including the conditional launch settings the app verifies when it launches. Once again, IT can enforce a minimum platform version, but this time it determines whether the devices can access the business application. That enables IT to control which devices, enrolled or unenrolled, can access the specific application.
The benefits of using Microsoft Intune - or any Enterprise Mobility Management (EMM) platform - are far broader than managing mobile OS updates. This important security task is able to be simply managed across a disparate corporate fleet from the Intune platform, however other benefits of Intune include:
Microsoft Intune is a cloud-based unified endpoint management, access management, and data protection platform. It is a component of Microsoft's Enterprise Mobility + Security (EMS) suite.
Microsoft has risen to the top of the leaderboard in the Gartner UEM Magic Quadrant in the past three years.
Read: Microsoft and VMware, then daylight, in 2020 Gartner UEM Magic Quadrant
The leading competitors to Microsoft Intune are VMware Workspace ONE, and for Apple-centric fleets, Jamf.
MobileCorp is often asked which of these Enterprise Mobility Management (EMM) platforms is best.
In reality, the answer is likely to be dependent on your existing network infrastructure. Microsoft Intune is often the 'best' choice for organisations that have already invested in the Microsoft 365 suite of products. Intune is fully integrated with the M365 stack and may already be included in your M365 licence.
Intune integrates with Azure Active Directory (Azure AD) to control who has access, and what they can access. It also integrates with Azure Information Protection for data protection.
Intune can simply deploy and secure M365 products like Teams, Outlook, OneDrive, OneNote and other Microsoft 365 apps to devices.
MobileCorp is a Microsoft Intune MSP. We have thousands of devices under management for Australian enterprise and business customers.
From building an Intune instance, through testing and deployment, to ongoing management and service desk, MobileCorp has accredited highly skilled EMM engineers to deliver your Microsoft Intune environment.
Our managed service includes:
MobileCorp is an Australian communications technology company providing Mobile Device Management, Managed Mobility Services, Complex Data and IP Networks, and Unified Communication solutions. It has a proven track record providing solution architecture, build, deployment, and managed services for Australian enterprise and business.