Using Microsoft Intune to manage mobile OS updates

Option 1: Control the installation of platform updates 

The mobile OS update features within Intune allow IT admins to enforce the installation of platform updates but how this is achieved differs for iOS/iPadOS versus Android devices. 

For iOS/iPadOS devices 

For iOS and iPadOS devices, Intune can manage platform updates by creating an Update Policy or by utilising Device Restrictions, or a combination of both.

Intune provides management options for supervised devices that have been enrolled in Apple Business Manager. Intune can create an update policy that controls the automatic installation of platform updates. This enables an Intune admin to configure the software update that the device will install and the time that the device should install it.

Source: Microsoft

Administrators can stop users from installing updates on their own with a device restriction policy that controls the deferral of software updates. This can ensure a single version of the OS or software is maintained across the entire mobile fleet.

This Intune mobile update policy requires a combination of two settings named Defer software updates and Delay visibility of software updates within the General section of a device restrictions policy.

The two settings in tandem enable the Administrator to configure when a new software update will be available for the user by providing a deferral period of up to 90 days.

For Android devices

For Android devices, Intune provides a mobile OS management option for corporate-owned devices: fully managed, dedicated and corporate-owned work profile devices. This option is a device restriction policy, which controls the installation of over-the-air updates that are available for the mobile device fleet.

This is a single setting named System update in Intune, within the General section of a device restrictions policy, and it enables mobile administrators to configure when the Intune should push out the system updates.

Administrators must choose among the Device Default, Automatic, Postponed and Maintenance window depending on their mobile updating needs. The availability of the system updates still depends on the mobile device manufacturer.

For Samsung devices, there is also the choice of utilising Knox E-FOTA which gives granular control over what OS version to deploy. E-FOTA is part of the Knox security suite and can be integrated with Intune. 

Option 2: Enforce the installation of the latest platform update by the user

Microsoft Intune provides multiple options to subtly force a user to install the latest platform update on iOS, iPadOS and Android devices.

These Intune OS update options focus on closing the doors to an organisation's data when a device is not running a specific minimum version of a platform or software product.

Enrollment restrictions

IT admins can use enrollment restrictions to ensure that mobile devices are running a minimum OS platform version. When a mobile device is running an older version of a platform, the device will be unable to enroll in Intune. 

Device compliance policies

Device compliance policies can be used to enforce the minimum version of the platform on the mobile device. When a mobile device is running an older version of a platform, the user can be prevented from accessing any of the organisation's apps and data.

Mobile app protection

IT admins can also use mobile app protection to control access to an organisation's data. IT can protect a mobile business application with several different Intune patching controls, including the conditional launch settings the app verifies when it launches. Once again, IT can enforce a minimum platform version, but this time it determines whether the devices can access the business application. That enables IT to control which devices, enrolled or unenrolled, can access the specific application.

Why use Microsoft Intune to manage OS updates?

The benefits of using Microsoft Intune - or any Enterprise Mobility Management (EMM) platform - are far broader than managing mobile OS updates. This important security task is able to be simply managed across a disparate corporate fleet from the Intune platform, however other benefits of Intune include:

• risk mitigation by securing data both on the device and when accessing the corporate network
• not relying on end users to implement OS updates
• remote device management including over-the-air remediation
• zero-touch device deployment to end users
• OTA application deployment and updates
• device compliance e.g. preventing corporate owned devices from being used to access illegal or harmful content
• IT admins being able to enforce corporate policy compliance, governance, and best practice
  
  

Is Microsoft Intune the best Enterprise Mobility Management platform?

Microsoft Intune is a cloud-based unified endpoint management, access management, and data protection platform. It is a component of Microsoft's Enterprise Mobility + Security (EMS) suite.  

Microsoft has risen to the top of the leaderboard in the Gartner UEM Magic Quadrant in the past three years. 

Read: Microsoft and VMware, then daylight, in 2020 Gartner UEM Magic Quadrant

The leading competitors to Microsoft Intune are VMware Workspace ONE, and for Apple-centric fleets, Jamf.

MobileCorp is often asked which of these Enterprise Mobility Management (EMM) platforms is best. 

In reality, the answer is likely to be dependent on your existing network infrastructure. Microsoft Intune is often the 'best' choice for organisations that have already invested in the Microsoft 365 suite of products. Intune is fully integrated with the M365 stack and may already be included in your M365 licence.

Intune integrates with Azure Active Directory (Azure AD) to control who has access, and what they can access. It also integrates with Azure Information Protection for data protection.

Intune can simply deploy and secure M365 products like Teams, Outlook, OneDrive, OneNote and other Microsoft 365 apps to devices. 

MobileCorp Microsoft Intune Managed Service

MobileCorp is a Microsoft Intune MSP. We have thousands of devices under management for Australian enterprise and business customers.

From building an Intune instance, through testing and deployment, to ongoing management and service desk, MobileCorp has accredited highly skilled EMM engineers to deliver your Microsoft Intune environment.

Our managed service includes:

• Microsoft licensing
• Microsoft 365 and Microsoft Intune integration
• Audit and remediation of existing Intune instances
• Design and build of new Intune instances, configuration of profiles
• Deployment of Intune environment, enrolling and deploying bulk devices
• Security management including device wipe, kiosk mode, profile sync
• Remote application management
• Proactive monitoring of devices, applications and enrolment compliance
• Technical support service desk
• Asset management reporting