How to use Microsoft Intune to manage devices in a small business

Every employee in your business accesses company data from a device – a laptop, a phone, a tablet, sometimes all three. If someone loses their phone with company email on it, can you wipe the company data remotely? If an employee’s laptop does not have disk encryption enabled, do you know? If a personal device that accesses your Microsoft 365 data gets infected with malware, can you remove company data without touching their personal files?

Microsoft Intune answers all of these questions. It is a cloud-based device management service included in Microsoft 365 Business Premium that gives you control over how devices access your company data – whether those devices are company-owned or personal. For small businesses without a dedicated IT team, Intune fills the gap between “everyone just uses whatever device they want” and enterprise-grade device management.

This guide covers what Intune does, which plan you need, how to set it up, and the specific policies that matter most for small businesses.

What Intune actually does

Intune provides two capabilities: Mobile Device Management (MDM) and Mobile Application Management (MAM). Understanding the difference determines how you deploy it.

MDM (Mobile Device Management) gives you control over the entire device. You can enforce encryption, require screen locks, push software updates, install or remove applications, and remotely wipe the device if it is lost or stolen. MDM requires the device to be enrolled in Intune, which means the device registers with your organization and accepts management policies. This is the appropriate approach for company-owned devices.

MAM (Mobile Application Management) gives you control over company apps and data without managing the entire device. You can prevent company data from being copied to personal apps, require a PIN to open Outlook or Teams, and wipe only company data without touching personal content. MAM does not require full device enrollment and is the appropriate approach for personal devices under a BYOD policy.

Most small businesses use a combination: MDM for company-owned laptops and MAM for employees’ personal phones.

Which plan includes Intune

Intune is included in Microsoft 365 Business Premium ($22/user/month). It is not included in Business Basic or Business Standard. If you are on a lower plan, you can add Intune as a standalone add-on, but upgrading to Business Premium is usually more cost-effective because it also includes Defender for Business, conditional access, and Azure AD Premium P1.

Not every user needs a Business Premium license for Intune to be useful. If your sales team uses company phones and your admin staff uses only desktop computers in the office, you might license only the sales team for Premium. However, any device that accesses company data should be managed, so the practical answer is usually that everyone who uses a phone or laptop for work needs a Premium license.

Setting up Intune

Step 1: Configure enrollment settings

In the Microsoft Intune admin center (intune.microsoft.com), go to Devices > Enrollment.

Windows enrollment. For company-owned Windows devices, configure automatic enrollment. When a user signs into a Windows device with their work account, the device is automatically enrolled in Intune and receives your management policies. This is the smoothest experience – no manual enrollment steps for the user.

To enable automatic enrollment:

1. Go to Devices > Enrollment > Windows > Automatic Enrollment
2. Set the MDM user scope to “All” (or a specific group if you are rolling out in phases)
3. Leave MAM user scope to “None” (MAM is configured separately for mobile devices)

iOS/iPadOS enrollment. Apple devices require an Apple Push Notification (APN) certificate for Intune to communicate with them. Set this up before enrolling any iPhones or iPads:

1. Go to Devices > Enrollment > Apple > Apple MDM Push certificate
2. Follow the wizard to download a CSR, upload it to Apple’s Push Certificates Portal, download the certificate, and upload it back to Intune

This certificate expires annually. Set a calendar reminder to renew it – if it expires, all enrolled Apple devices lose management and need to be re-enrolled.

Android enrollment. Android devices can be enrolled as personally-owned (work profile) or company-owned (fully managed). For most small businesses, the work profile approach is best for BYOD – it creates a separate work container on the device that Intune manages, leaving the personal side untouched.

Step 2: Create compliance policies

Compliance policies define the minimum security requirements a device must meet. Devices that do not meet these requirements are marked as non-compliant, and you can then use conditional access to block non-compliant devices from accessing company data.

Go to Devices > Compliance > Policies > Create policy.

Windows compliance policy – recommended settings:

• Require BitLocker disk encryption: Yes
• Require a password: Yes
• Minimum password length: 8 characters
• Require Secure Boot: Yes
• Require code integrity: Yes
• Maximum minutes of inactivity before password is required: 15
• Firewall required: Yes
• Antivirus required: Yes
• Antispyware required: Yes

iOS compliance policy – recommended settings:

• Require a password: Yes
• Minimum password length: 6 characters
• Maximum minutes of inactivity before screen lock: 5
• Require device encryption: Yes (iOS devices are encrypted by default when a passcode is set)
• Jailbroken devices: Block

Android compliance policy – recommended settings:

• Require a password: Yes
• Minimum password length: 6 characters
• Required password type: At least numeric
• Maximum minutes of inactivity before screen lock: 5
• Require device encryption: Yes
• Rooted devices: Block

Set the action for non-compliance to “Mark device non-compliant” immediately, and optionally send the user an email notification explaining what needs to be fixed. Do not set it to “Wipe device” for initial non-compliance – that is too aggressive. Mark it non-compliant, notify the user, and block access via conditional access. Give people time to fix the issue.

Step 3: Create configuration profiles

Configuration profiles push settings to devices. Where compliance policies check whether a device meets requirements, configuration profiles actively configure the device.

Common configuration profiles for small businesses:

Windows – device restrictions:

• Require Windows Hello for Business (passwordless sign-in)
• Block external storage (USB drives) if your security policy requires it
• Configure Windows Update for Business to install security updates automatically

Windows – Wi-Fi profile:

• Push your office Wi-Fi configuration to managed devices so users do not need to manually enter credentials

iOS/Android – email profile:

• Push Exchange Online email configuration to managed devices so users do not need to manually configure Outlook

Step 4: Set up app protection policies (MAM)

App protection policies control what happens with company data inside specific apps. These are critical for BYOD scenarios where you manage the apps, not the device.

Go to Apps > App protection policies > Create policy.

Recommended settings for iOS and Android:

• Prevent backup of company data to iCloud/Google backup: Yes
• Allow copy/paste between managed and unmanaged apps: No (prevents copying company email text into personal apps)
• Require PIN for app access: Yes, 6 digits
• Block screen capture: Yes (prevents screenshots of company data)
• Encrypt company data on device: Yes
• Wipe company data after X days offline: 90 days (if a device does not check in for 90 days, company data is automatically removed)

These policies apply to Microsoft apps (Outlook, Teams, OneDrive, SharePoint) on personal devices. The employee installs Outlook from the app store, signs in with their work account, and the app protection policy applies automatically. Their personal email, photos, and other apps are unaffected.

Step 5: Configure conditional access

Conditional access ties everything together. It creates rules that determine whether a sign-in attempt is allowed based on conditions like device compliance, location, and user risk.

Go to the Entra admin center > Protection > Conditional Access > Policies.

Policy 1: Require compliant device for desktop apps

• Users: All users
• Cloud apps: Office 365
• Conditions: Device platforms – Windows, macOS
• Grant: Require device to be marked as compliant
• Result: Users can only access M365 from managed, compliant laptops

Policy 2: Require app protection for mobile apps

• Users: All users
• Cloud apps: Office 365
• Conditions: Device platforms – iOS, Android
• Grant: Require approved client app and app protection policy
• Result: Users can only access M365 from Outlook/Teams with app protection policies applied

Policy 3: Block access from unmanaged devices (optional, strict)

• Users: All users
• Cloud apps: Office 365
• Conditions: Filter for devices – not compliant and not registered
• Grant: Block access
• Result: No M365 access from any unmanaged device

Start with policies 1 and 2 in report-only mode. This shows you which users and devices would be affected without actually blocking anyone. Review the report-only results for a week, address any devices that need to be enrolled or updated, then switch to enforcement.

For more on conditional access in a broader security context, see Microsoft 365 security hardening for small business.

Enrolling devices

Company-owned Windows devices

If automatic enrollment is configured (Step 1), users just sign in with their work account. The device enrolls, receives compliance and configuration policies, and starts reporting its status to Intune. No action needed from the user beyond signing in.

For existing devices that are already set up, users can manually enroll through Settings > Accounts > Access work or school > Connect, then entering their work email address.

Personal phones (BYOD)

For iOS and Android devices with app protection policies, no enrollment is needed. The user installs Outlook or Teams, signs in with their work account, and the MAM policies apply. This is the lowest-friction approach for personal devices.

If you want full MDM management on phones (for company-issued phones), users install the Company Portal app from the App Store or Google Play, sign in, and follow the enrollment wizard. The wizard explains what the organization can and cannot see on the device – an important transparency step for employee trust.

Communicating to staff

Before enrolling devices, tell your team:

• Why you are setting up device management (protecting company data, compliance requirements, ability to wipe lost devices)
• What Intune can and cannot see on their personal device (it cannot see personal email, photos, texts, browsing history, or app usage)
• What changes they will notice (PIN required for Outlook, inability to copy work data to personal apps)
• What to do if their device is marked non-compliant (they will receive an email with specific instructions)

Transparency prevents the “my company is spying on my phone” reaction that derails BYOD programs.

What to do when a device is lost or stolen

This is where Intune earns its value instantly. When an employee reports a lost or stolen device:

Company-owned device:

1. Go to Intune admin center > Devices > find the device
2. Click “Wipe” for a full factory reset
3. The device is remotely wiped the next time it connects to the internet

Personal device (BYOD with MAM):

1. Go to Intune admin center > Apps > App selective wipe
2. Select the user and device
3. Company data is removed from Outlook, Teams, and OneDrive. Personal data is untouched.

Personal device (enrolled in MDM):

1. Go to Intune admin center > Devices > find the device
2. Click “Retire” (removes company data and management profile, leaves personal data)
3. Or “Wipe” only if the employee consents to a full device reset

The ability to remotely wipe company data from a lost phone is the single most common reason small businesses adopt Intune. Without it, a lost phone with access to company email means hoping the finder does not open Outlook before the employee reports it. This is also a critical step in the employee offboarding process – ensuring company data is removed from all devices when someone leaves.

Common mistakes

Not using report-only mode first

Switching conditional access policies from “Off” to “On” without testing locks people out of their accounts. Always use report-only mode for at least a week to see who would be affected, then address enrollment and compliance gaps before enforcing.

Setting compliance actions too aggressively

Wiping a device as the first action for non-compliance is extreme and creates justified anger from employees. The correct sequence is: mark non-compliant, notify the user, block access via conditional access, then escalate to wipe only for lost/stolen devices or terminated employees.

Ignoring personal devices

If employees access company email on their personal phones (and they do, unless you have explicitly blocked it), those devices need at minimum an app protection policy. Ignoring personal devices does not make the risk go away – it just means you cannot respond when one is compromised.

Not renewing the Apple Push certificate

The APN certificate for iOS management expires annually. If it expires, every enrolled iOS device loses management and users must re-enroll. Set a calendar reminder 30 days before expiration.

Making enrollment too complicated

If the enrollment process requires employees to follow a 15-step guide, call IT support, and restart their device three times, adoption will be low. Automatic enrollment for Windows and app protection policies (no enrollment) for phones are the lowest-friction options. Use them.

Intune and cyber insurance

Many cyber insurance policies now ask about device management during the application process. Questions like “Do you have the ability to remotely wipe lost or stolen devices?” and “Do you enforce disk encryption on all endpoints?” are common. Without Intune or a similar MDM solution, the answer to both is no, which can affect your premium or coverage.

Having Intune deployed with compliance policies for encryption, screen lock, and remote wipe capability gives you concrete answers to these questions.

When to get help

Setting up Intune for a 5-person business with identical Windows laptops is a half-day project. Setting it up for a 30-person business with a mix of Windows laptops, Macs, iPhones, and Android phones – some company-owned, some BYOD – with conditional access policies that need to work without locking anyone out requires careful planning.

Consider getting help if:

• You have a mix of company-owned and personal devices across multiple platforms
• You need to configure conditional access without disrupting daily work
• You have compliance requirements (HIPAA, PCI, SOC 2) that dictate specific device security controls
• You have employees who work remotely and access company data from multiple devices, and need a consistent remote laptop onboarding process for every new hire
• You tried to set up Intune and accidentally locked everyone out (this is recoverable, but stressful)

Sequentur handles Intune deployment as a project – compliance policy configuration, conditional access setup, device enrollment, and phased rollout with report-only testing so nobody gets locked out on day one. Once the environment is set up, ongoing device management falls under our managed Microsoft 365 services – monitoring compliance, handling new device enrollments, managing offboarding wipes, and adjusting policies as your business changes.

Summary

Microsoft Intune gives you control over the devices that access your company data. Use MDM for company-owned devices (full device management including encryption enforcement, remote wipe, and software updates) and MAM for personal devices (app-level protection without managing the device itself). Both require Microsoft 365 Business Premium.

Start with compliance policies (what devices must do), app protection policies (what apps can do with company data), and conditional access (blocking non-compliant devices from accessing M365). Deploy in report-only mode first, communicate clearly with your team about what Intune can and cannot see on their devices, and test thoroughly before enforcing. The goal is protecting company data without making employees feel surveilled or making their devices harder to use.