Microsoft Intune for Australian SMBs: Device Management Made Practical
When an employee’s laptop goes missing, or someone leaves your business unexpectedly, or you need to ensure every device accessing company data meets security standards—that’s when device management becomes urgent. For Australian SMBs already invested in Microsoft 365, Intune provides a practical answer to these challenges without the complexity of traditional enterprise solutions.
At CloudGeeks, we’ve helped many Australian businesses implement Intune to protect their data and devices. Here’s a practical guide to making it work for your organisation.
Why Intune Makes Sense for Australian SMBs
The Device Management Challenge
Modern Australian businesses face a complex device landscape:
- Company-owned devices: Windows laptops, iPhones, Android phones
- BYOD (Bring Your Own Device): Personal phones accessing work email
- Hybrid work: Devices moving between office and home
- Contractor access: Temporary staff needing limited access
- Compliance requirements: Privacy Act, industry regulations, cyber insurance
Managing this manually is impractical. Spreadsheets tracking devices, relying on users to configure security settings, hoping nothing goes wrong—it doesn’t scale and it doesn’t protect your business.
What Intune Delivers
Centralised Device Management See and manage all devices from a single dashboard:
- Inventory of all enrolled devices
- Hardware and software details
- Security compliance status
- Remote actions (lock, wipe, restart)
Security Policy Enforcement Ensure every device meets your standards:
- Require passcodes/PINs
- Enforce encryption
- Require up-to-date operating systems
- Block compromised devices
Application Management Control which apps access corporate data:
- Deploy required applications
- Remove unwanted applications
- Configure app settings remotely
- Separate work and personal data on BYOD
Conditional Access Integration Only allow compliant devices to access resources:
- Block non-compliant devices from email
- Require managed apps for sensitive data
- Geographic restrictions
- Risk-based access decisions
Licensing for Australian SMBs
Intune is included in several Microsoft 365 plans:
| License | Intune Included | Approximate Cost (AUD) |
|---|---|---|
| Microsoft 365 Business Basic | No | $9/user/month |
| Microsoft 365 Business Standard | No | $18/user/month |
| Microsoft 365 Business Premium | Yes | $33/user/month |
| Microsoft 365 E3 | Yes | $54/user/month |
| Intune standalone | Full features | $12/user/month |
Recommendation for SMBs: If you’re using Microsoft 365 Business Standard, upgrading to Business Premium often makes sense. You get Intune, Defender for Business, and advanced security features for an additional $15/user/month.
Implementation Guide: From Zero to Managed
Phase 1: Planning and Preparation (1-2 weeks)
Define Your Device Strategy Answer these questions before configuring anything:
| Question | Your Answer |
|---|---|
| Which devices will be company-owned? | |
| Will you support BYOD? | |
| Which mobile platforms (iOS, Android, both)? | |
| Which Windows versions? | |
| What’s the minimum security standard? | |
| Who needs what level of access? |
Document Your Device Inventory Before enrollment, know what you’re managing:
- Current device count by platform
- Which devices are company-owned vs. personal
- Current security software installed
- Users and their device assignments
Plan Your Compliance Requirements Define what “compliant” means for your business:
Minimum Security Requirements (Typical SMB)
- Windows 10/11 with current updates
- iOS 15+ or Android 13+
- Device encryption enabled
- Screen lock with PIN/password
- Antivirus active (Windows)
- Not jailbroken/rooted
Enhanced Requirements (Sensitive Data)
- Complex password requirements
- Shorter screen lock timeout
- Specific minimum OS versions
- App installation restrictions
- Location services enabled
Phase 2: Core Configuration (1-2 weeks)
Enable Intune and Configure Basics
- Sign in to Microsoft Intune admin center (intune.microsoft.com)
- Configure MDM Authority (should be set to Intune)
- Set up device enrollment restrictions
- Configure branding (company name, logo, support info)
Configure Apple Push Notification Service (Required for iOS) If managing iPhones/iPads:
- Download CSR from Intune
- Create push certificate at Apple Push Certificates Portal
- Upload certificate to Intune
- Renew annually (critical—set calendar reminder)
Configure Android Enterprise (Recommended) For Android device management:
- Connect Intune to managed Google Play
- Configure enrollment profiles
- Set up work profile for BYOD devices
Create Device Compliance Policies
Windows Compliance Policy
Policy Name: Windows Device Compliance
Platform: Windows 10/11
Requirements:
- Require BitLocker: Yes
- Require Secure Boot: Yes
- Require Code Integrity: Yes
- Minimum OS Version: 10.0.19045 (Windows 10 22H2)
- Require Antivirus: Yes
- Require Antispyware: Yes
- Require Firewall: Yes
- Simple passwords: Block
- Minimum password length: 8iOS Compliance Policy
Policy Name: iOS Device Compliance
Platform: iOS/iPadOS
Requirements:
- Jailbroken devices: Block
- Minimum OS version: 16.0
- Require password: Yes
- Minimum password length: 6
- Simple passwords: Block
- Screen lock after inactivity: 5 minutesAndroid Compliance Policy
Policy Name: Android Device Compliance
Platform: Android Enterprise
Requirements:
- Rooted devices: Block
- Minimum OS version: 13.0
- Require password: Yes
- Required password type: Numeric complex
- Minimum password length: 6
- Encryption: RequireConfigure Conditional Access Integrate compliance with access control:
- Go to Microsoft Entra ID > Security > Conditional Access
- Create policy: “Require compliant device for Office 365”
- Conditions: All users, Office 365 apps
- Grant: Require device to be marked as compliant
- Test with pilot group before enabling for all users
Phase 3: Device Configuration Profiles (1-2 weeks)
Windows Configuration Profile Create baseline security settings:
Security Baseline Settings
- Disable USB storage (if required)
- Configure Windows Hello for Business
- Enable Windows Defender features
- Configure Windows Update settings
- Set power management for laptops
Wi-Fi Profile (for office network)
- Pre-configure office Wi-Fi
- Deploy certificates if using WPA-Enterprise
- Set priority to prefer office network
iOS Configuration Profile Manage iPhone/iPad settings:
Restrictions
- Require managed apps for company data
- Block screenshots of managed apps
- Block copy/paste from managed to personal apps
- Require Touch ID/Face ID for managed apps
Email Profile
- Pre-configure Exchange Online connection
- Require managed email app
- Configure email sync settings
Android Configuration Profile For work profile devices:
Work Profile Settings
- Separate work and personal data
- Block copy/paste between profiles
- Configure work profile password separately
- Allow personal apps alongside work apps
Phase 4: Application Management (1-2 weeks)
Deploy Required Applications
Windows Applications Deploy via Intune:
- Microsoft 365 Apps (Word, Excel, Outlook, Teams)
- Company line-of-business applications
- Security tools (if not included in Windows)
- VPN client (if required)
iOS/Android Applications Deploy managed apps:
- Outlook for iOS/Android (managed)
- Teams mobile app
- Company-specific apps
- Approved productivity apps
Configure App Protection Policies Protect data within apps (critical for BYOD):
iOS/Android App Protection Policy
Policy Name: Protect Office Data
Apps: Outlook, Teams, OneDrive, SharePoint
Data Transfer:
- Receive data from: Policy-managed apps only
- Send data to: Policy-managed apps only
- Save copies: Block (except OneDrive for Business)
- Allow cut/copy/paste: Policy-managed apps only
Access Requirements:
- PIN for access: Yes
- Work account credentials: Required
- Recheck access after: 30 minutes
Conditional Launch:
- Jailbroken/rooted: Block access
- Minimum OS version: Current - 2 major versions
- Maximum offline time: 1 dayPhase 5: Device Enrollment (Ongoing)
Windows Autopilot (Recommended for New Devices) For company-owned Windows devices:
- Register device hardware IDs with Intune
- Create Autopilot deployment profile
- User receives device, connects to internet
- Device automatically configures itself
Manual Windows Enrollment For existing devices:
- Settings > Accounts > Access work or school
- Connect to organisation
- Sign in with work account
- Device enrolls automatically
iOS Enrollment Options
- Apple Business Manager + Automated Enrollment: Best for company-owned
- User Enrollment: Best for BYOD (separates work data)
- Device Enrollment: Full management for company-owned
Android Enrollment Options
- Fully Managed: Company-owned devices
- Work Profile: BYOD (recommended)
- Dedicated Device: Kiosk/single-purpose devices
Australian-Specific Considerations
Privacy Act Compliance
Intune supports Privacy Act requirements:
Data Collection Transparency
- Clearly communicate what data Intune collects
- Document in employee agreements
- Provide privacy notices before enrollment
Data Minimisation
- Configure Intune to collect only necessary data
- Use work profiles for BYOD to separate personal data
- Don’t track personal app usage on BYOD
What Intune Can See (Company-Owned)
- Device name, model, serial number
- Operating system version
- Installed applications
- Location (if enabled)
- Compliance status
What Intune Can See (BYOD Work Profile)
- Work profile apps only
- Work profile compliance
- Cannot see personal apps
- Cannot see personal photos/messages
- Cannot see personal location
BYOD Legal Considerations
For Australian businesses implementing BYOD:
Employee Agreements Should Cover
- What management is applied
- What data the company can see
- What happens when employment ends
- Who pays for data usage
- Device loss/theft procedures
Work Profile Benefits for BYOD
- Clear separation of work and personal
- Company can only wipe work data
- Personal data and apps remain private
- Employees retain control of personal device
Cyber Insurance Alignment
Many Australian cyber insurance policies require:
- Device encryption (Intune enforces)
- Password policies (Intune enforces)
- Remote wipe capability (Intune provides)
- Device inventory (Intune maintains)
Document your Intune configuration for insurance applications.
Day-to-Day Operations
Monitoring Device Compliance
Dashboard Review (Daily)
- Check compliance percentage
- Review non-compliant devices
- Identify enrollment issues
- Monitor security alerts
Common Non-Compliance Issues
| Issue | Cause | Resolution |
|---|---|---|
| Out of date OS | User hasn’t updated | Send reminder, set deadline |
| Encryption disabled | User disabled it | Require re-enrollment |
| Missing antivirus | Uninstalled or expired | Deploy automatically via Intune |
| Jailbroken device | User modification | Block access, require new device |
Handling Device Loss
When a device is lost or stolen:
Company-Owned Device
- Locate device (if location enabled)
- Send remote lock immediately
- If not recovered within 24 hours, remote wipe
- Document for insurance claim
- Remove from Intune inventory
BYOD Device
- Perform “Selective Wipe” (work data only)
- Remove from company enrollment
- Personal data remains untouched
- Document the action
Employee Offboarding
When an employee leaves:
- Immediate: Disable account in Entra ID (blocks access)
- Within 24 hours: Remove from Intune groups
- Company-owned: Remote wipe and reclaim device
- BYOD: Selective wipe removes work data only
- Document: Record actions for compliance
Common Challenges and Solutions
”Users Don’t Want to Enroll Personal Devices”
Address concerns directly:
- Explain work profile privacy protections
- Provide written privacy commitments
- Offer company devices as alternative
- Consider app-only protection (no device enrollment)
“Enrollment Is Failing”
Troubleshoot common issues:
- Verify license assignment
- Check enrollment restrictions
- Ensure Apple push certificate valid
- Verify Android Enterprise configured
- Review device platform/version compatibility
”Compliance Policies Are Too Strict”
Balance security with usability:
- Start with baseline requirements
- Add restrictions incrementally
- Communicate changes in advance
- Provide grace periods for compliance
Getting Started: Next Steps
- Assess current state: Inventory devices and current management
- Define requirements: What must be protected? What’s acceptable risk?
- Plan pilot: Start with IT team or small group
- Configure basics: Compliance policies, conditional access
- Expand gradually: Roll out by department or device type
At CloudGeeks, we help Australian SMBs implement Microsoft Intune in ways that protect the business without frustrating employees. Whether you need help with planning, configuration, or ongoing management, we can help you get device management right.
Unmanaged devices are unacceptable risks for modern businesses. Intune makes professional device management accessible for SMBs. The setup investment pays off the first time you need to wipe a lost laptop or ensure a departing employee doesn’t walk away with company data.