Migrating to Microsoft Intune
Migrating to Microsoft Intune
More and more organizations with existing enterprise mobility management solutions are
considering migrating to Microsoft Intune. Intune’s rapidly expanding mobile device
management (MDM) and mobile application management (MAM) feature set offers many
organizations improvements over their existing enterprise mobility management solutions.
Intune also includes tight integration with Azure Active Directory Premium, Azure Rights
Management Service as part of the Microsoft Enterprise Mobility Suite.
This document provides high-level guidance for you to consider when migrating your devices
and users to Intune from an existing enterprise mobility management solution. It outlines the
basic planning and migration considerations, best practices, and provides links to configuration
guidance that you can use to get started with a migration to Intune.
If you purchase licenses for Microsoft Intune, you can use the "FastTrack Center Benefit," a
service where Microsoft specialists work with you to get your environment ready for Intune. See
the Microsoft Intune Service Benefit Description for more details.
This document focuses on the main stages of migrating to Intune from an existing enterprise
mobility management solution:
 Before you begin
 Setting up Intune
 Configuring Intune
 Piloting Intune
 Migrating to Intune
Before you begin
When migrating to Intune from another enterprise mobility management solution, there are
several important consideration areas you should review before the migration:
 Comparing features and capabilities: Since you already have an existing enterprise
mobility management solution, you’re familiar with its capabilities and limitations.
However, you may not be familiar with Intune’s architecture or device/application
management features. Thoroughly understanding how Intune’s mobile management
features align or significantly differ from your current solution is essential to migration
success. Make sure you also understand the complementary relationship with other
Microsoft cloud services, such as Azure Active Directory Premium and Azure Rights
Management. To help you map the features and capabilities of your current MDM
solution to Intune, see the features reference worksheet at the end of this document.
Additionally, you might find our design considerations guide helpful in comparing
mobile device management options and configurations.
Migrating users and devices quickly: Migrating users and devices to Intune quickly is
important to prevent losses in productivity and keeping user satisfaction high. To help
things move quickly, having a well-designed pilot deployment and making sure that you
have configured and deployed compliance and configuration policies correctly is crucial.
Depending on your organization, you may need to balance this migration with other
service migration projects in your organization. Be sure to understand how these other
projects affects your overall Intune migration timeline.
Maintaining business productivity: Most users cannot afford to be disconnected from
corporate resources or critical line-of-business (LOB) applications for extended periods.
It’s very important that you maintain user productivity throughout the entire migration
process by understanding exactly how Intune handles resource and application
management. Additionally, timely and detailed communication about the migration with
your users is critical to a successful migration.
Maintaining data security: Securing corporate resources before, during, and after the
migration to Intune is critical. Make sure you understand how Intune uses policies that
help you to configure security and functional settings for enrolled mobile devices,
including hardware, password, and allowed/blocked apps settings.
Maintaining compliance requirements: Most organizations need to maintain and
enforce some level of compliance standards, from either internal governance directives
or external regulatory requirements. As part of your migration, make sure you
understand how Intune helps protect your data security, privacy, and compliance
practices. Also, Intune enables you to present your own compliance resources to your
users, like a custom terms of use or a link to your privacy policies. As part of your
migration planning, you should plan to coordinate with your internal legal department to
develop terms or guidelines that you’ll configure in Intune.
Planning for user identity management: You may already manage user identities and
access to corporate resources using Active Directory and Active Directory Federation
Services (AD FS) in your on-premises infrastructure. If you already use these services to
synchronize and manage user accounts with Microsoft cloud services such as Office 365,
you’ll be able to leverage your existing identity infrastructure if you use the same tenant
name (*.onmicrosoft.com) across all Microsoft cloud services.
Leveraging other Microsoft cloud services: If you’re using integrated cloud services or
SaaS applications with your existing enterprise mobility management solution, you need
to understand how the Intune migration may impact these services. Intune shares a
common foundation with other Microsoft cloud services and you can use the same
accounts to subscribe to multiple cloud services that use the Microsoft Azure AD
Communication with users: What you tell your users is incredibly important when
migrating to Intune from your existing product. Unlike some software migrations, this
has a direct impact on the user’s mobile device and requires them to take certain steps
to ensure a trouble-free experience.
Intune or Intune + System Center Configuration Manager?: This document only
covers a migration to a standalone Intune (cloud-only) deployment from an existing
enterprise mobility management solution. If you have an existing on-premises System
Center Configuration Manager (ConfigMgr) infrastructure, a hybrid Intune deployment
may be a better migration and deployment option. There may be additional
considerations with your migration that aren’t covered in this guidance.
Setup Intune
Review infrastructure requirements and architecture
Understanding the Intune service requirements and differences between your existing enterprise
mobility solution and Intune is crucial to a successful migration. For example, Intune is tightly
integrated with other Microsoft services and products that may provide additional benefits to
other areas of your organization. A careful analysis of how these other services currently interact
with your existing enterprise mobility solution may illuminate how Intune will manage these
Controlling access to corporate resources
How you currently manage access to corporate resources in your existing enterprise mobility
management solution may impact both your Intune pilot deployment and migration to Intune.
“Conditional access” is an Intune feature for managing device access to corporate resources,
such as email and cloud services, until the device has met certain compliance or configuration
criteria. Most enterprise mobility management solutions offer a similar capability, but many
require an email gateway or additional access servers in your perimeter network. If your existing
solution is currently configured to manage your mobile devices in this capacity, several
important questions must be answered before piloting or migrating devices to Intune:
1. Can the conditional access policies in my existing enterprise mobility management
solution coexist with Intune conditional access policies? Typically, devices cannot be
enrolled in two different enterprise mobility management solutions at the same time.
The same restriction usually applies to configuring different sets of conditional access
policies to a single email server or cloud service as well. For these reasons, we typically
recommend that you do not have Intune and your existing enterprise mobility
management solution both manage conditional access for the same group of devices
and users at the same time. However, there may be cases and scenarios where
conditional access coexistence is supported between Intune and your existing enterprise
mobility management solution – specifically mobile application management without
enrollment scenarios. We strongly recommend that you extensively test compatibility
and coexistence scenarios for conditional access policies in a lab environment for your
pilot and migration. The results of this testing will apply to the next question.
2. When will I enable Intune’s conditional access policies? This is an important security
decision that impacts access to corporate resources and affects the overall user
experience. Depending on the results of your conditional access policy coexistence
testing and evaluation, you may or may not have a gap in device coverage for these
policies. In cases where coexistence isn’t possible for conditional access policies, you’ll
need to determine whether or not to immediately require conditional access for devices
migrating to Intune. Since these users will lose conditional access provided by the
existing enterprise mobility management solution (it will need to be disabled so Intune
can manage conditional access), they’ll need to enroll in Intune immediately to maintain
managed access to corporate resources. This can be a tall order when dealing with large
numbers of devices and users all at once. Depending on the number of devices and
users you are able to simultaneously support, you may need to plan for a grace period
where users and devices aren’t covered by conditional access by either solution.
Sign up for (or sign into) Microsoft Intune
Before you can migrate to Intune, you’ll first need an Intune tenant. An Intune tenant uses a
unique domain that your organization will use across all Microsoft Cloud Services and will be in
the format of <your domain>.onmicrosoft.com. If your company is already using Microsoft
Online service such as Microsoft Office 365, we strongly recommend that you use the same user
ID to sign up for Intune so that your user identities are shared automatically. Intune is free to try
for 30 days for up to 100 users, and is available as a standalone service or part of the Enterprise
Mobility Suite. Sign up for either of these Intune options here.
After completing the process of creating a new Intune tenant or adding Intune to your existing
onmicrosoft.com tenant, you’ll be automatically signed in to the Microsoft Intune account portal
with the global administrator account.
Prepare Intune
To get started, you’ll need to configure a few basic Intune service settings:
In the Office 365 Management Portal: Add the users you want to test manage with Intune.
If you added Intune to an existing tenant where Active Directory Federation Services (AD FS)
and a synchronization technology are already in place, you’ll simply need to enable licenses
for your Intune pilot users.
If this is not the case, for most medium-level and enterprise-level organizations, connecting
your existing directory services to Intune via Azure Active Directory is the best and most
convenient way to manage user identity with Intune. This is especially true if you already use
other Microsoft cloud services, such as Office 365 or Exchange Online. Synchronizing your
existing user accounts using Microsoft's AD Connect is a quick and easy way to connect your
on-premises Active Directory to Azure Active Directory and configure a single sign-on
authentication experience for your users. Azure AD Connect encompasses functionality that
was previously released as DirSync and Azure AD Sync.
To migrate users to Intune they shouldn’t have their devices currently managed by your
existing enterprise mobility solution. If they are, unenroll their devices and user accounts in
accordance with the guidance from your existing mobile device management solution
provider. You’ll also need to assign Intune licenses to your pilot users in the Office 365
Management Portal.
Important: If you’ve configured conditional access to corporate resources in your existing
solution for these pilot users and devices, the considerations covered in the controlling
access to corporate resources section will apply.
In the Intune Admin Console: Select the Start Managing Mobile Devices button to select
your Mobile Device Management Authority, and enable mobile devices for each platform
you plan to support in your organization.
o Enable Android devices
o Enable iOS and Mac devices
o Enable Windows Phone devices
o Enable Windows devices
Note for Windows Phone and Windows devices: It isn’t necessary to specify the DNS
entries listed in the TechNet topics for piloting Windows Phone and Windows devices if your
current DNS CNAME entries already point to your existing enterprise mobility management
solution provider. Changing the DNS entries may impact your current production users and
devices. To piloting Intune with Windows Phone or Windows devices, you can work around
this by:
 Windows Phone: During the enrollment process, users are prompted for the
management server name if you do not create the CNAME record for
“enterpriseenrollment.company_domain.com”. Simply enter “manage.microsoft.com”
for this value to complete the enrollment.
 Windows 8.1: Create a registry key on your Windows 8.1 device for the Intune
enrollment server address if you do not wish to configure the
“enterpriseregistration.company_domain.com” DNS entry.
After you’ve completed these steps and configured the necessary platform requirements, you’re
ready to start enrolling devices in Intune if you’d like test service connectivity and the basic
enrollment process. Users can enroll and manage their devices with the Company Portal app
using their credentials or you can enroll devices with the Device Enrollment Manager. It’s
important to remember that you haven’t configured any Intune configuration or compliance
polices yet, so these devices are enrolled but are not targeted for policies, applications, or other
corporate resources.
Configure Intune
Intune offers a very comprehensive set of mobile device and mobile application management
features and capabilities. In this step, you’ll need to determine what configuration and
compliance policies need to be configured to match the policies of your current enterprise
mobility management solution. You’ll also need to fully understand the management process for
these policies in the Intune architecture and how they manage and protect corporate resources.
Device settings: Intune allows you to configure a wide range of settings that you can
deploy to managed devices in your organization. These policies can be configured for each
device platform type and can manage the most up-to-date device settings available.
Email: Email profiles in Intune allow you to create and deploy profiles that can automatically
configure devices with appropriate email server information so that users can connect to
their email mailbox. This helps users connect to the correct email server and prevents the
need for users to have to try to remember email server names. Provisioning email profiles via
Intune also allows you to remove email from devices as part of a selective wipe process.
Intune can configure the native email for iOS, Samsung KNOX Android devices, and
Windows Phone 8.0 or later. Intune also supports the Outlook app for both iOS and Android
devices as a MAM-enabled application.
Wireless: To simplify connections to wireless networks, you can manage these connections
using Intune wireless profiles that outline the specific settings devices need to configure in
order to connect to the wireless network. This may include automatically configuring a
custom network name, network Service Set Identifier (SSID), security settings, network proxy,
and whether or not the device should automatically connect to the wireless network when
the device is in range.
VPN: Secure remote access to corporate resources often includes using a defined VPN
connection type from the mobile device that manages user account credentials to
authenticate the VPN connection. You may have a vendor-specific VPN application for your
mobile devices, or it may be supported by your existing enterprise mobility management
solution. To simplify connections to VPNs after the migration, you can manage these
connections using Intune VPN profiles. Depending on integration support, managing VPN
connections with Intune may or may not be an option with certain VPN platforms.
Certificates: Most enterprise mobility management solutions natively support digital
certificates, either self-signed or issued from a third party Certificate Authorities (CAs), to
authenticate mobile devices to networks connections or specific network resources. To
simplify managing digital certificates after the migration, you can manage certificates using
Intune certificate profiles. Intune provides a uniform, centralized method for managing
certificates, including how they are created, issued, and renewed.
Conditional access: Conditional access in Intune controls whether or not users (or user
groups) can access corporate resources such as SharePoint Online, Exchange Online, and
Exchange on-premises. If a device isn’t enrolled in Intune and compliant with your
compliance policies, the user won’t have access to these resources from that device.
Additionally, if you’re blocking Exchange ActiveSync (EAS) connectivity at the network layer
for externally connecting devices (such as mobile devices on a wireless carrier’s network),
you’ll need to allow EAS access for Intune’s conditional access policies to work correctly.
Make sure you’ve reviewed the considerations in the controlling access to corporate
resources section before enabling conditional access policies.
Application delivery & software: Intune offers a variety of methods for managing
applications, including publishing applications and deploying both in-house developed
applications and store apps.
Mobile application management: Intune MAM policies allow you modify the functionality
of native MAM-enabled applications to help provide data protection and security. For
example, you can restrict cut, copy, and paste for MAM-enabled apps. When deploying
these native MAM-enabled apps you can define policies for these apps during the
App wrapping: The Microsoft Intune App Wrapping Tool for iOS and Android allows you to
modify and restrict the behavior of your in-house developed apps without modifying the
code of the app itself. When your in-house iOS and Android apps are “wrapped”, you can
provide data protection controls such as restrict cut, copy, and paste.
Important. When these apps have been built using the SDK for your current enterprise
mobility management solution or wrapped using your existing solution’s wrapper, Intune will
not support that functionality. You’ll need to recompile these apps with the Intune App SDK
or the use the Intune App Wrapper Tool as appropriate.
Terms and conditions: Intune allows you to configure customized terms and conditions
that your users must accept prior to enrolling a device in Intune. This feature includes
versioning control and allows you to generate reports to view which users have accepted the
terms and conditions, what version they accepted, and when they accepted the terms. We
recommend investigating if you can use your existing terms and conditions in Intune early in
your planning phase as engaging different legal resources may extend your migration
Pilot Intune
Now you’re ready to start your pilot deployment of Intune with selected users and devices.
Remember, the devices you test in the pilot deployment need to be unenrolled from your
existing enterprise mobility management platform before they are enrolled in Intune.
Your pilot deployment should validate:
 Users and devices can be successfully enrolled and unenrolled in Intune
 Intune configuration policies are created and tested on devices
 Intune compliance policies are created and tested on devices
 Intune conditional access is functioning properly.
 Intune managed applications are created and installed on devices
 Intune mobile application management policies are created and tested on devices
 Corporate resources such as VPN, Wi-Fi, email, and certificates are provisioned and
tested as applicable
A typical pilot may last for several weeks and should include an appropriate number of users
and devices based on the size of your organization. You should use this time to train your IT
staff on how to enroll and troubleshoot problems for all of the platforms you’ll support.
Additionally, you should consider feedback from your pilot users in developing your user
enrollment documentation and communications for your full-scale deployment of Intune.
After you’ve tested and validated your pilot deployment of Intune, you’re ready to schedule the
migration of the rest of the users and devices in your organization to Intune.
Migrate to Intune
The migration to Intune from your existing enterprise mobility management solution may follow
the general sequence of steps below:
Notify users: Once you’re comfortable that the Intune pilot deployment has met your
requirements, communicate with your users about the upcoming migration of their devices to
Intune. Email messages, instructions, and posters can help set expectations and provide
enrollment details on the steps users need to take in order to maintain uninterrupted
connectivity to company resources and applications. Make sure your support team is ready to
assist users in the migration process.
Modify your existing enterprise mobility management solution
Depending on how you plan to handle conditional access policies between your existing
enterprise mobility management solution and Intune, you may need to disable your existing
conditional access policies. You’ll either disable your existing conditional access policies OR
scope the existing conditional access policies to not include users/devices you are about to
migrate to Intune. Do not have both Intune and your existing enterprise mobility management
solution applying conditional access policies to the same users/devices.
Enable Intune conditional access policy (optional)
If you’ve decided to immediately enforce the conditional access policies without a grace period
for migrating devices, enable conditional access policies in Intune in this step. Make sure that
this decision is well-communicated with your users and your helpdesk team. If devices aren’t
enrolled in Intune and aren’t compliant with Intune policies, users won’t be able to access
corporate resources until they enroll in Intune and the devices are compliant with Intune
Unenrolling devices from your existing enterprise mobility management solution:
Devices must be unenrolled from your existing enterprise mobility management solution prior
to enrolling in Intune. Our recommendation is to allow users to unenroll their devices
themselves for the best user experience. Be sure to follow the unenrollment guidance from the
solution provider to make sure you correctly remove users and devices from your platform,
ensuring minimum possible disruption to your end users.
Enrolling devices in Intune: Users scheduled for migration should immediately enroll in Intune
to either regain or prevent loss of access to corporate resources, email, and applications. If
you’ve configured conditional access and users try to connect to email before enrolling in
Intune, their access will be blocked and an enrollment email will greet them. This email will
guide them to enroll their device in Intune. Alternatively, users can enroll in Intune via the
Intune Company Portal app or natively through the operating system on Windows 8.1 and
Windows 10 Mobile. Refer to “What to tell your end users about using Microsoft Intune” for
further guidance on enrollment steps per platform.
Configure Intune conditional access (optional)
If you’ve allowed a grace period for conditional access enforcement, enable conditional access
policies in Intune to start enforcement when the grace period that you have communicated to
your end-users has ended. This will immediately require all devices to meet the requirements of
the Intune conditional access policy.
Enroll remaining devices and users
Now that you have enabled conditional access, all users are required to enroll in Intune and
meet your organization’s compliance policies to gain access to corporate resources. If you’ve
migrated your users in a phased enrollment (not all at once), repeat the steps above until all the
devices and users are enrolled and managed by Intune.
Retire the previous enterprise mobility management solution
After you’ve migrated all your users and devices to Intune and you’ve validated that the
migrations to Intune are successful, you can retire the previous enterprise mobility management
solution and/or unsubscribe from the service. Be sure to follow the guidance from the solution
provider to make sure you correctly remove any unneeded infrastructure requirements and
cancel any subscriptions/licenses.
Additional migration resources
Do you need extra help with your migration to Intune? We provide expert assistance options to
help make sure your migration is trouble-free:
 Microsoft Intune Onboarding
 Microsoft Consulting Services
 Intune Technical and Non-Technical Support
 Microsoft Intune TechNet Forum
MDM features & capabilities mapping worksheet
Use the following worksheet to compare the features, capabilities, and settings of your current
MDM solution to Intune features and capabilities.
Device platforms listed include:
 Android
 iOS
 Samsung KNOX (KNOX)
Windows RT (WINRT)
Window RT 8.1 (WINRT8.1)
Windows 8.1 (WIN8.1)
Windows 10 (WIN10)
Windows Phone 8 (WP8)
Windows Phone 8.1 (WP8.1)
Window 10 Mobile (WIN10Mobile)
For the most current comparison of these features by mobile device operating system platform,
be sure to check out Mobile device security policy settings in Microsoft Intune.
Microsoft Intune Feature
Require a password to
unlock mobile devices
Required password type
Required password type –
Minimum number of
character sets
Minimum password length
Allow simple passwords
Number of repeated sign-in
failures to allow before the
device is wiped
Minutes of inactivity before
screen turns off
Password expiration (days)
Remember password
Remember password
history – Prevent reuse of
previous passwords
Password quality
Allow picture password and
Minutes of inactivity before
password is required1
Allow fingerprint unlock
Multi-Factor Authentication
at Enrollment
Service Account Enrollment
Device Lockdown Supervisor/Assigned
Applies To Devices
All, except Android/KNOX
All, except Android/KNOX
iOS 7+
All, except WINRT/WP8
Your Current
MDM feature
Your Current
MDM setting
Customizable Terms of Use
Support for Apple
Support for Apple Device
Enrollment Program
Tagging for Personal versus
Company Devices
Require encryption on
mobile device
Require encryption on
storage cards
Require network firewall
Enable SmartScreen
Require automatic updates
Require automatic updates
– Minimum classification of
updates to install
Allow screen capture
Allow control center in lock
Allow notification view in
lock screen
Allow today view in lock
User Account Control
Allow diagnostic data
Allow untrusted TLS
Allow personal wallet
software while locked
Allow factory reset
Allow backup to iCloud
Allow document sync to
Allow Photo Stream sync to
Require encrypted backup
Work Folders URL
Allow Google backup
Allow Microsoft account
All, except iOS and WINRT
iOS 7+
iOS 7+
iOS 7+
WIN8.1/WINRT 8.1/WIN10
All, except WINRT
Allow Google account auto
Make Microsoft account
optional in Windows Mail
Allow custom email
Allow web browser
Allow autofill
Allow pop-up blocker
Allow cookies
Allow plug-ins
Allow active scripting
Allow fraud warning
Allow intranet site for single
word entry
Allow automatic detection
of intranet network
Security level for Internet
Security level for intranet
Security level for trusted
Security level for restricted
Send Do Not Track header
Allow Enterprise Mode
menu access
Enterprise Mode site list
Allow application store
Require a password to
access application store
Allow in-app purchases
Allow managed documents
in other unmanaged apps
Allow unmanaged
documents in other
managed apps
Allow video conferencing
Allow adult content in
media store
Allow app installation
iOS 7+
iOS 7+
iOS 7+
iOS 7+
iOS 6+
App management
Required Application
Installs/Uninstalls for Private
Required Application
Installs for Public Apps
Managed Deployment of
Free Public Apps
Per-App VPN
Managed Applications
Managed Browser
URL Allow/Deny via
Managed Browser
Managed PDF/AV/Image
Selective Wipe of Managed
Apps and Data
Application Wrapping tool
for Intune Policies
Intune Policy SDK for
Managed Mobile
Allow Game Center friends
Allow multiplayer gaming
Allow camera
Allow removable storage
Allow Wi-Fi
Allow Wi-Fi tethering
Allow automatic connection
to free Wi-Fi hotspots
Allow Wi-Fi hotspot
Allow geolocation
Allow NFC
Allow Bluetooth
Allow power off
Allow voice roaming
Allow data roaming
Allow automatic
synchronization while
Allow SMS/MMS messaging
Allow voice assistant
Allow voice assistant while
device is locked
Allow voice dialing
Allow copy and paste
Allow clipboard share
between applications
Allow YouTube
Conditional access
Conditional Access to onpremises Exchange via EAS
Conditional Access to
Office365 Exchange via EAS
Conditional Access for
SharePoint Online
Restrict Access When
Device Out of Compliance
Deployment of Email
Selective Wipe of Email
Deployment of VPN Profiles
Deployment of Certificates
using SCEP
Deployment of Certificates
using PFX
Deployment of WIFI Profiles
Policies and Apps Targeted
to Devices
All, except WP8/WINRT
All, except WP8/WINRT
All, except WP8/WINRT/WIN10
All, except
All, except WP8/WINRT
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF