A client called us on a Monday morning. One of their salespeople had quit on Friday, and over the weekend, that former employee had downloaded the entire client database onto their personal laptop. Contracts, pricing, contact lists — all of it. Gone.
The business owner asked me what we could do. I had to tell him the truth: not much. The laptop was personal. There was no mobile device management in place. No way to remotely wipe company data. No policy that separated business files from personal ones. The horse was out of the barn.
That conversation is the reason I talk about Microsoft Intune with almost every client now.
Microsoft Intune is a cloud-based tool that lets you manage and secure every device that touches your company’s data — laptops, phones, tablets, desktops. It’s part of Microsoft 365 and it’s been around since 2011, but most small and mid-sized businesses I talk to either haven’t heard of it or don’t realize they already have access to it through their existing Microsoft license.
Here’s the simplest way I explain it: Intune is the remote control for your company’s devices. It lets you push security policies, deploy apps, and — when things go sideways — wipe company data off a device without touching someone’s personal photos or messages.
If you’ve heard the terms MDM (Mobile Device Management) or MAM (Mobile Application Management), Intune does both. MDM is about controlling the device itself. MAM is about controlling the apps and data on it. You need both, especially if your team uses personal phones for work.
Before 2020, most of our clients had a pretty simple setup. Company laptops in the office, connected to the company network, behind the company firewall. If someone left, you collected the laptop at the door.
That world doesn’t exist anymore. Now we’ve got employees working from home, from coffee shops, from their kids’ hockey tournaments. They’re checking email on personal phones. They’re accessing SharePoint from tablets. And every one of those devices is a potential doorway into your business.
Here’s what I’m seeing on the ground: the average business we onboard has 3 to 4 devices per employee connecting to company resources. A 40-person company doesn’t have 40 endpoints to manage. It has 120 to 160. Most of them unmanaged. Most of them running whatever security settings the employee happened to leave on.
That’s not a technology problem. That’s a business risk problem. And Intune is how you solve it without hiring three more IT people.
When we set up Microsoft Intune for a client, here’s what changes:
You can enforce security policies automatically. Every device that connects to your company’s email or files has to meet your rules first. That means up-to-date operating systems, encryption turned on, a proper screen lock, and antivirus running. If a device doesn’t comply, it doesn’t get access. No exceptions, no chasing people with reminder emails.
You can deploy and update apps remotely. Need to push Microsoft Teams, Outlook, or a line-of-business app to 50 devices? Intune does it without anyone from our help desk needing to touch each machine. Updates, too — no more waiting for employees to click “remind me tomorrow” for six months.
You can separate company data from personal data. This is the big one for businesses that allow personal devices. Intune creates a managed container on the device. Company email, files, and apps live inside that container. Personal stuff stays outside it. If someone leaves the company, we wipe the container. Their vacation photos are untouched.
You can lock down or wipe a lost device in minutes. Laptop stolen from a car? Phone left in an airport? With Intune, we can remotely lock it, locate it, or erase all company data — before anyone has time to do damage.
This is where the conversation gets interesting with most business owners. They want to know: do I have to buy everyone a phone?
The answer is no. Intune handles both scenarios differently:
Company-owned devices get full management. We control everything — password requirements, VPN configuration, which apps are installed, what websites are accessible. The company owns the hardware, so the company sets the rules.
Personal devices (BYOD) get lighter management. We only manage the work apps and data. The employee keeps full control of their personal side. We can’t see their text messages, browsing history, or personal apps. But we can enforce security on the work container and wipe it if needed.
This is important because BYOD isn’t going away. Employees want to use their own phones. And honestly, it saves businesses money. The key is making sure personal devices don’t become cybersecurity liabilities — and that’s exactly what Intune prevents.
This is the part that surprises most of our clients. If you’re paying for Microsoft 365 Business Premium, you already have Intune included in your license. You’re paying for it right now. You’re just not using it.
Microsoft 365 Business Premium runs about $27 CAD per user per month. That includes Office apps, email, Teams, OneDrive, and Intune. Most businesses we talk to are already on this plan or close to it. They just never turned Intune on because nobody told them it was there.
Even if you’re on a lower-tier Microsoft 365 plan, Intune can be added as a standalone license. But in most cases, upgrading to Business Premium is the better deal because you get the full cloud security stack along with it — Defender for Business, Azure AD conditional access, and data loss prevention.
I don’t pitch Intune as a technology upgrade. I pitch it as risk reduction. Here’s what it prevents:
Data leaks from departing employees. The scenario I opened with. Without Intune, you’re trusting that people do the right thing when they leave. With Intune, you press a button and company data is gone from their device. Trust, but verify.
Compliance failures. If your business handles financial data, health records, or anything covered by PIPEDA, you need to prove you’re controlling how that data is accessed and stored. Intune gives you an audit trail and enforceable policies. When the auditor asks “how do you ensure only compliant devices access client data?” you have an answer.
Ransomware spreading through unpatched devices. One of the most common ransomware entry points is an endpoint running outdated software. Intune lets you enforce patching policies across every device, even the ones that never come into the office.
The 2 AM lost laptop panic call. Instead of hoping nobody finds the laptop and guesses the password, you lock it remotely and wipe it. Problem solved before your morning coffee.
Is Microsoft Intune the same as Microsoft Endpoint Manager?
Microsoft rebranded Endpoint Manager back to Intune in 2023. They’re the same product. If you see references to “Microsoft Endpoint Manager” or “MEM” in older documentation, that’s Intune.
Can Intune manage Mac and Linux devices, or just Windows?
Intune manages Windows, macOS, iOS, and Android devices. Linux support is more limited but improving. For most Canadian businesses running a mix of Windows laptops and iPhones, Intune covers everything.
How long does it take to set up Microsoft Intune?
For a typical small business with 20 to 50 users, we can have Intune configured and devices enrolled within one to two weeks. The setup itself isn’t the hard part — it’s designing the right policies for how your business actually works. That’s where having an MSP handle the rollout saves time and headaches.
Do employees have to give up privacy on their personal phones?
No. When a personal device is enrolled in Intune’s BYOD mode, IT can only see and manage the work apps and data. Your IT team cannot see personal apps, photos, text messages, or browsing history. Employees keep full control of the personal side of their device.
We’re here for you every step of the way, ready to guide, connect, and protect your IT ecosystem. Get in touch with us today, and let us help you thrive in the digital landscape.