What Is Microsoft Intune — and Why Does Your SMB Need It?

THE REALITY

Yes, It Comes With Your License. No, That Doesn‘t Mean It’s Working For You.

If your business runs on Microsoft 365 Business Premium, Microsoft Intune is included. That part is true — and we’re not going to pretend otherwise. But here’s what most small businesses find out the hard way: having a tool in your subscription and having that tool configured, deployed, and actively managed are completely different things.

By default, Intune in a new M365 tenant does very little. There are no device policies. No conditional access rules. No enrollment requirements. Nothing is protected until someone sets it up correctly — and for most SMBs, that setup never happens. The licenses sit there, the capability goes unused, and your devices operate with zero centralized oversight.

That’s the gap SBT fills. Intune management isn’t a fee for something you didn’t already have — it’s the work of making sure what you have actually works: proper configuration, active monitoring, policy enforcement, and someone who owns it on your behalf every single day.

"A misconfigured Intune tenant is almost as risky as no configuration at all. Default settings aren't enough, and without proper deployment, your team will work around the tools regardless of what you've paid for."

WHAT IS IT?

Intune in Plain English: One Console for Every Device

Microsoft Intune is a cloud-based endpoint management platform. In practice, it’s the tool that lets your IT team see, manage, and secure every device that touches your company data — Windows laptops, Macs, iPhones, Androids, tablets — from a single dashboard. Company-owned or personal. In the office or remote.

It operates in two main modes depending on who owns the device:

Mobile Device Management (MDM) — Company-Owned Devices
Full management of the device: push software, enforce encryption, configure settings, require PINs, and remotely wipe the entire device if it's lost or stolen. Best for laptops and phones your company issues.
Mobile Application Management (MAM) — Personal Devices (BYOD)
Protects company data inside specific apps without managing the whole phone. An employee's personal photos, texts, and apps are completely off-limits. Only the work data is containerized and controlled. A lost personal phone with MAM in place means a wipe of company data only — nothing personal is touched.
Conditional Access — Automatic Enforcement
Intune integrates with Microsoft Entra ID to block non-compliant devices from accessing company email or SharePoint automatically — no IT intervention required. Wrong OS version, no PIN, not enrolled? Access denied, no exceptions.

The setup problem is real. Intune has hundreds of configuration options, policy settings, and security baselines. We've onboarded clients who had M365 Business Premium for years with Intune enabled in name only — no enrollment, no policies, no protection. The capability existed. The protection didn't.

WHY IT MATTERS

The Numbers That Make This Hard to Ignore

Unmanaged devices are consistently one of the top entry points for SMB breaches. Here’s what the data actually looks like:

60% of small businesses that suffer a cyberattack close within 6 months National Cyber Security Alliance

181% ROI for organizations that deployed Microsoft Intune, per Forrester Forrester TEI Study, June 2024

60%+ of small businesses support some form of BYOD — most with no management policy IDC, 2024

Forrester’s 2024 Total Economic Impact study on Intune found that organizations with a properly deployed, actively managed Intune environment saw 80% faster new-device onboarding, a 25% drop in help desk tickets related to endpoint issues, and a meaningful reduction in breach risk from lost or stolen devices. Those aren’t theoretical gains — they’re the direct result of configuration and management done right.

Intune Impact: Key Outcomes After Proper Deployment (Forrester TEI, 2024)

Faster new-device onboarding 80%

Reduction in endpoint-related help desk tickets 25%

Savings on endpoint management licensing costs 38%

Reduction in device-update-related downtime 80%

Source: The Total Economic Impact™ Of Microsoft Intune — Forrester Consulting, commissioned by Microsoft, June 2024

→

THE BYOD PROBLEM

Personal Devices Are Your Biggest Blind Spot

The scenario is more common than most SMB owners realize: a 20-person company with no formal BYOD policy. Employees check work email on personal iPhones. A few people remote into SharePoint from home laptops that haven’t been patched in six months. Someone’s Android phone — with access to company files — gets left in a rideshare.

Without Intune properly configured, there is nothing your IT team can do. No remote wipe. No way to verify that device was encrypted. No audit trail. The data is effectively gone — or in the wrong hands.

With Intune MAM policies deployed and monitored correctly, that scenario ends differently. Work data is containerized inside managed apps. If the device goes missing, you wipe the company container only. The employee’s personal content is untouched.

The key word is "deployed correctly." MAM policies don't enforce themselves. Someone has to build the policy, enroll the apps, test the configuration, and monitor compliance on an ongoing basis. That's the managed service — not the Intune license itself.

→

THE FULL PICTURE

What Intune Covers — When It’s Actually Set Up

Here’s what a fully deployed and managed Intune environment gives you — compared to what you’d be looking at building the same protection from separate tools:

Capability	Standalone Alternative	With Managed Intune
Mobile Device Management	$8–$12/device/mo (separate MDM tool)	✓ Included & Configured
App protection for BYOD (MAM)	Requires additional MDM licensing	✓ Deployed with policies
Conditional access enforcement	Requires Azure AD P1 (~$6/user/mo)	✓ Actively enforced
Remote wipe (selective or full)	Standalone MDM platform needed	✓ Ready to execute
Autopilot device provisioning	Enterprise-tier; complex setup	✓ Configured for your workflow
Compliance monitoring & reporting	Manual or separate tool	✓ Ongoing via Datto RMM + Intune
Security baseline hardening	Manual configuration required	✓ Applied and maintained

The managed service cost covers the expertise, time, and accountability behind every one of those rows — not the license itself. If you have Business Premium and think Intune is already protecting you because it shows up in your portal, this is the conversation worth having with your IT partner.

HOW WE DO IT

What SBT’S Intune Management Looks Like

When SBT manages Intune as part of your Total IT partnership, here’s what that work entails — from day one through ongoing operations:

01

Tenant Audit & Security Baseline

We start by reviewing your M365 tenant configuration from scratch. Intune policies are built from the ground up against Microsoft's security baselines — not left on defaults. Everything is hardened before a single device enrolls.

02

Device Enrollment

Company-owned devices go into full MDM. Personal devices get MAM-only enrollment — no employee has to hand over their personal phone. We configure the right policy for each device type and ownership model your team actually uses.

03

Conditional Access & Identity Policies

We configure Entra ID conditional access rules that match how your business operates — blocking non-compliant devices from email and SharePoint, enforcing MFA, and applying access rules by role or location where relevant.

04

Autopilot for Zero-Touch Provisioning

New Windows devices can ship directly to employees and self-configure through Autopilot — arriving pre-loaded with required apps, policies, and security settings. No IT time at the desk required.

05

Ongoing Monitoring & Compliance

Once deployed, we monitor device compliance through Datto RMM and the Intune console. Devices that fall out of policy get flagged and remediated. Updates get pushed. You get reporting your leadership can actually act on.

→

Find Out If Your Intune Is Actually Working

Most businesses with Business Premium have never had Intune properly configured. We'll take a look — at no cost — and tell you exactly where you stand.

Claim Your Free IT Health Check →