What is Microsoft Intune used for?

Microsoft Intune manages and secures all devices (Windows, Mac, iOS, Android) from a cloud console — enrolling devices, enforcing security compliance policies (encryption, PIN, OS version), deploying apps remotely, integrating with Conditional Access to block non-compliant devices, and enabling remote wipe of lost or stolen devices.

Is Microsoft Intune included in Microsoft 365?

Yes. Microsoft Intune is included in Microsoft 365 Business Premium ($26.40/user/month CAD), E3, and E5 licences. It is not included in Business Basic or Business Standard. Intune can also be purchased as a standalone licence.

What is the difference between Intune MDM and MAM?

MDM (Mobile Device Management) enrolls and manages the entire device — suitable for company-owned devices and enables full device wipe. MAM (Mobile Application Management) manages only corporate apps on personal (BYOD) devices without enrolling the device itself, enabling selective wipe of company data only while leaving personal data untouched.

What Is Microsoft Intune? Mobile Device Management for Canadian Businesses

Microsoft Intune is Microsoft's cloud-based Mobile Device Management (MDM) and Mobile Application Management (MAM) platform, included in Microsoft 365 Business Premium, E3, and E5 licences. Intune enables IT teams to manage and secure all devices in an organization — Windows PCs, Macs, iPhones, iPads, and Android phones — from a single cloud console, ensuring every device meets security standards before it can access company data. For Canadian businesses with remote and hybrid teams, Intune is foundational to Zero Trust security.

What Microsoft Intune does

Device enrollment — registers all company and personal (BYOD) devices with the Intune management platform; can be automated for Windows devices via Windows Autopilot
Device compliance policies — defines minimum security standards: OS version, disk encryption (BitLocker for Windows, FileVault for Mac), PIN/password requirements, screen lock timeout
Conditional Access integration — non-compliant devices are blocked from accessing Microsoft 365 data until compliance issues are resolved; device compliance is verified on every access request
App management — deploy, update, and remove applications remotely on all managed devices; enforce app protection policies that prevent corporate data from being copied to personal apps
Remote wipe — selectively wipe corporate data from a lost or stolen device (or full wipe for company-owned devices) without user intervention
Configuration profiles — enforce security settings (Wi-Fi, VPN, email, certificate deployment) across all devices automatically
Windows Update management — control when and how Windows updates deploy to minimize business disruption while maintaining patch compliance

MDM vs. MAM: device management vs. app management

MDM (Mobile Device Management): manages the entire device; full enrollment; suitable for company-owned devices; enables full device wipe; enforces device-wide encryption, PIN, and configuration
MAM (Mobile Application Management): manages only corporate apps and data on a device without enrolling the device itself; suitable for personal (BYOD) devices; enables selective wipe of corporate data only; employees' personal data is untouched
Intune supports both: company-owned devices typically use MDM; personal devices use MAM policies to protect corporate data in apps like Outlook and Teams

Intune and PIPEDA compliance

Intune supports PIPEDA compliance in several ways:

Encryption enforcement — Intune can require and verify BitLocker (Windows) and FileVault (Mac) encryption on all managed devices; encrypted devices protect personal information even if lost or stolen
Remote wipe — if a device containing personal information is lost or stolen, remote wipe can be triggered immediately, reducing PIPEDA breach notification risk
Access logging — Intune logs all device access to corporate resources, supporting PIPEDA's accountability and safeguards requirements
App protection policies — prevent personal information in corporate apps from being shared or saved to unauthorized locations

Windows Autopilot: zero-touch device deployment

Intune integrates with Windows Autopilot to enable zero-touch device deployment: new Windows laptops can be shipped directly to remote employees, who turn on the device, sign in with their Microsoft 365 credentials, and Intune automatically configures the device — installing required apps, applying security policies, and enrolling in management — without IT touching the hardware. This is especially valuable for Canadian businesses with geographically distributed remote teams.

Related glossary terms

How Outsource IT Canada can help

Managed IT Services — 24/7 monitoring and flat-rate IT support for Canadian businesses
Cybersecurity Services — EDR, MDR, dark web monitoring, and incident response
PIPEDA Compliance — privacy impact assessments and breach notification procedures
Get a free assessment — call (416) 623-9677

Ready to transform your IT? Call (416) 623-9677 for a free assessment.