I’ve blogged previously about recognising others when they’ve blogged earlier and better than you, and I’ve got another example of that today with with this excellent blog post from Oliver Kieselbach that gives a high level overview of how Intune works as an MDM. A hat tip to Stefan van der Busse who pointed me at this blog post this afternoon too!
As always, I encourage you to read the original post here.
Oliver does a great job breaking down Intune into:
- The architecture and components that make up Intune
- The nature and structure of Configuration Service Providers (CSP) that action change on devices
- He covers off both native and custom CSP in his blog post
- Extending your control on a device by ingesting ADMX policy templates
- Explaining how CSP policies are processed on the device
- Policy refresh cycles (this is very helpful if you’ve ever wondered when your changes will take affect!)
- Basic troubleshooting, including reference to 2,500 Administrative Templates for Windows & Office you can manage with Intune
Again, I recommend you read the post in its entirety here, but things that stood out to be in particular included:
1) Policy Refresh Information
Included on this helpful Intune troubleshooting link, the information below is very useful:
How long does it take for devices to get a policy, profile, or app after they are assigned?
Intune notifies the device to check in with the Intune service. The notification times vary, including immediately up to a few hours. These notification times also vary between platforms.
If a device doesn’t check in to get the policy or profile after the first notification, Intune makes three more attempts. An offline device, such as turned off, or not connected to a network, may not receive the notifications. In this case, the device gets the policy or profile on its next scheduled check-in with the Intune service, which is estimated at:
|iOS||About every 8 hours|
|macOS||About every 8 hours|
|Android||About every 8 hours|
|Windows 10 PCs enrolled as devices||About every 8 hours|
If the device recently enrolled, the compliance and configuration check-in runs more frequently, which is estimated at:
|iOS||Every 15 minutes for 1 hour, and then around every 8 hours|
|macOS||Every 15 minutes for 1 hour, and then around every 8 hours|
|Android||Every 3 minutes for 15 minutes, then every 15 minutes for 2 hours, and then around every 8 hours|
|Windows 10 PCs enrolled as devices||Every 3 minutes for 30 minutes, and then around every 8 hours|
2) Windows 10 templates to configure group policy settings in Microsoft Intune
If you really want to get down to the nitty gritty settings of Windows and Office there are 2,500 templates available now that you can review here.
It’s worth noting you should run Windows 10 1903 for best results when using these templates.
I’ve been using Intune for a while now but still got value out of this post because of the clear way Oliver explained components of Intune as well as links to the official documentation on Microsoft’s well-kept https://docs.microsoft.com site. In particular, the device refresh/updates for policies was helpful as I’m often asked this but to be able to reference it directly makes it more authoritative.