Microsoft Intune

SCEP and PKCS certificate management with CA integration.

Deploy custom OMA-URI policies for Windows, Apple mobileconfig profiles for iOS/iPadOS and macOS, and Android OEMConfig payloads. Covers settings not exposed in the standard Intune console UI.

Device restrictions and capabilities enforcement across all supported platforms.

Email configuration profiles for Outlook and native clients.

Passcode policies and enforcement with complexity requirements.

Per-app VPN via Intune Tunnel requires separate gateway infrastructure.

Device-wide VPN configuration supported across major platforms.

Wi-Fi profiles supported across platforms. Linux limited to custom compliance scripts.

Android Zero Touch Enrollment supported through partner enrollment services.

Apple Device Enrollment (ADE) for iOS/iPadOS and macOS via Apple Business Manager. Best-in-class enrollment experience with Entra ID integration and conditional access during onboarding.

Apple Configurator 2 enrollment for iOS staging, CSV bulk import for device pre-registration, and Windows Autopilot bulk provisioning. Covers large-scale rollout and seasonal deployment needs.

Conditional enrollment with Entra ID integration for access control.

QR code enrollment available across most platforms for manual device registration.

Samsung Knox integration for enhanced security and enrollment on Samsung devices.

BYOD support with Company Portal and conditional enrollment policies.

Windows Autopilot provides best-in-class zero-touch enrollment for Windows devices.

App restriction and blocklist policies across platforms.

Managed app catalogs with self-service installation across platforms.

App configuration policies for iOS and Android managed apps.

Volume Purchasing Program support for iOS and macOS enterprise licensing.

Google Play for Work integration with managed and unmanaged app deployment.

Mobile Application Management without enrollment via Intune App Protection.

Silent/automatic app installation and updates via Intune.

Win32/LOB application deployment via .intunewin packaging.

Polling-based compliance (8hr default) with push notifications. Linux limited.

DLP available via Defender for Endpoint on Windows; not native to Intune.

Device encryption enforcement and verification.

Native geofencing not available; requires third-party integration.

Jailbreak/root detection and enforcement across mobile platforms.

Full device wipe capability across enrolled devices.

Retire action removes corporate data, managed apps, and MDM enrollment across iOS, Android, Windows, and macOS while preserving personal content. Core capability for BYOD offboarding and compliance remediation.

Defender for Endpoint MTD integration on mobile and Windows platforms.

Android updates limited to policy recommendations; OEM-dependent implementation.

Windows firmware updates managed through Device Firmware Configuration Interface.

iOS/iPadOS updates via Declarative Device Management with deferral options.

macOS updates via Declarative Device Management with version deferral.

Update deferral available for iOS, Windows, macOS; Android limited by OEM.

Windows Update for Business integration with deferral and ring deployment.

App deployment and usage analytics via Microsoft 365 reports.

Audit logs for admin actions and policy changes via Intune audit logs.

Compliance status reporting and remediation tracking.

Custom reports via Microsoft Graph API and Power BI integration.

Device inventory and fleet overview dashboards in Intune admin center.

Real-time device status via polling (default 8hr interval).

PowerShell scripts for Windows, shell scripts for macOS; Linux compliance scripts only.

Remote restart capability for Windows and macOS devices.

Remote device lock capability across all supported platforms.

Remote Help provides screen sharing and remote control for Windows and macOS. Android support available but constrained to dedicated device modes and select OEMs (Samsung, Zebra). Requires Intune Plan 2 or standalone add-on license.

Remote terminal via custom PowerShell/shell scripts on Windows/macOS.

Remote full and selective wipe actions.

Targeting by device type, platform, and ownership model.

Dynamic device groups based on device properties and compliance.

Geolocation/network-based targeting not natively available.

Device tagging for fine-grained policy targeting.

Policy assignment to users, device groups, and combinations.

Native Entra ID integration with best-in-class conditional access.

Native Entra ID Conditional Access with device compliance integration.

Google Workspace integration for ChromeOS via Entra ID; limited MDM.

Third-party IdP via SAML/OIDC for Company Portal authentication.

On-premises AD support via Entra ID hybrid join for Windows/macOS.

SAML and OpenID Connect support for identity federation.

Power Automate integration for workflow automation and orchestration.

No native plugin framework; extensibility via Graph API.

Comprehensive Microsoft Graph API for Intune management.

ServiceNow CMDB connector available for device lifecycle management.

SIEM integration via Azure Log Analytics and Microsoft Sentinel.

Change notifications and webhooks via Microsoft Graph.