A long-form deep dive into Microsoft Intune for Australian small and mid-sized businesses. Covers MDM versus MAM, Windows Autopilot, Apple Business Manager, BYOD app protection, compliance policies, Conditional Access integration, AUD pricing, deployment best practice and a side-by-side scenario showing five everyday moments with and without Intune configured.

    Product Deep Dive
    Recommended for Perth businesses with remote, hybrid or BYOD teams

    Microsoft Intune: managing every device your team uses, from one place

    Most 30-person businesses have no idea how many devices are connecting to their Microsoft 365 environment. Some are company laptops. Some are personal phones. Some belong to staff who left six months ago. Intune changes that.

    StartCloud19 May 202611 min read
    TL;DR

    The short version

    Microsoft Intune is a cloud-based device management platform that gives IT teams visibility and control over every device in the business: Windows, macOS, iOS and Android, whether company-owned or personal.

    It enforces security policies, automates device setup, manages apps, and integrates with Microsoft Entra ID so that only compliant devices can access Microsoft 365. It is included in Microsoft 365 Business Premium at no extra cost.

    This guide explains what it actually does, how enrollment works for different device types, and what your 30-person hybrid team looks like with it properly configured.

    Prices in this guide are indicative AUD figures current as of May 2026 and are subject to change. Always confirm with your licensing partner before purchase.

    What it is

    Device management for the hybrid workplace

    Microsoft Intune is a cloud-based endpoint management platform that sits at the intersection of device management and security. It combines mobile device management (MDM) and mobile application management (MAM) in a single platform, managed entirely from the Microsoft Intune admin centre.

    MDM gives you control over the device itself: pushing configuration profiles, enforcing compliance policies, deploying software, encrypting storage and remotely wiping a device if it is lost or stolen. MAM gives you control over work apps and data on a device without managing the device itself. This distinction matters for BYOD: Intune can protect work email and Teams data on a staff member's personal phone without touching their personal photos, messages or apps.

    Three enrollment scenarios for a 30-person team

    Scenario Device type How it works
    Company-owned Windows devices Windows 10/11 laptops and desktops Windows Autopilot: device ships directly to the staff member. They sign in with their Microsoft 365 credentials. Intune automatically enrolls the device, applies security policies, installs approved apps, and configures settings. IT never needs to physically touch the device.
    Company-owned Apple devices MacBooks, iPhones, iPads Apple Business Manager (ABM) with Automated Device Enrollment (ADE): devices purchased through ABM are linked to your Intune tenant. Staff power on the device, sign in, and policies are applied automatically. Requires setup in ABM before devices are purchased.
    Personal devices (BYOD) Any phone, tablet, or personal laptop Staff install the Company Portal app and enrol their personal device. Intune applies app protection policies to work apps (Outlook, Teams, OneDrive) without enrolling the device itself. Work data is protected and can be wiped selectively. Personal data is never touched.

    Enrollment pathways at a glance

    Corporate Windows

    Windows Laptop
    Autopilot Registration
    Microsoft 365 Sign-In
    Intune Policies Applied

    Zero-touch setup. IT never handles the device.

    Corporate Apple

    MacBook / iPhone
    Apple Business Manager
    Automated Device Enrollment
    Intune Policies Applied

    Requires ABM setup before device purchase.

    Personal device (BYOD)

    Personal Phone
    Company Portal App
    App Protection Policies
    Work apps protected, personal data untouched

    No MDM. Work data protected without device management.

    Features that matter

    What Intune puts in your hands

    Here is what Microsoft Intune actually does, without the product marketing.

    Zero-touch device setup (Autopilot and ADE)

    Windows Autopilot and Apple Automated Device Enrollment mean new devices ship directly to staff and configure themselves on first login. No imaging, no manual setup, no IT visit. For a 30-person business onboarding three new staff a month, this saves hours and eliminates configuration errors.

    Compliance policies

    Compliance policies define the minimum security standard a device must meet: OS version, encryption status, PIN requirements, jailbreak detection. When a device fails a check, Intune flags it and can trigger a Conditional Access policy in Entra ID to block Microsoft 365 access until resolved.

    Configuration profiles

    Configuration profiles push settings to devices automatically: WiFi, VPN, email accounts, certificates, browser policies and security baselines. Staff get a correctly configured device without setting anything up. IT knows every managed device shares the same baseline.

    App management and deployment

    Intune deploys approved apps automatically, removes them when a device is unenrolled, and enforces app protection policies on work apps. On BYOD, app protection policies prevent work data from being copied out, require a PIN to open work apps, and allow selective wipe.

    Remote actions

    From the Intune portal, IT can remotely lock a device, reset the PIN, retire it (remove company data) or perform a full wipe. For BYOD, selective wipe removes only work data. Actions work as long as the device has an internet connection, anywhere in the world.

    Software inventory and device health

    Intune maintains a real-time inventory of every enrolled device: hardware, OS version, installed apps, compliance status, last check-in time and assigned user. For a business with no idea what is on their network today, this visibility alone is transformative.

    BitLocker and FileVault key escrow

    Intune enforces BitLocker on Windows and escrows recovery keys in Entra ID. FileVault keys on macOS are escrowed in Intune. If a staff member forgets their encryption password, the recovery key is available in the portal. Without this, losing an encrypted device means losing the data.

    Defender and Conditional Access integration

    Intune integrates with Microsoft Defender for Business to share device risk signals. A device Defender flags as compromised can be automatically marked non-compliant in Intune, which triggers Conditional Access in Entra ID to block sign-in. The three products form a closed loop.

    How compliance and Conditional Access work together

    Device checks in to Intune
    Compliance policy evaluated
    Compliant?
    YES →NO →

    Conditional Access: Access granted

    Microsoft 365, Teams, SharePoint, all accessible.

    Conditional Access: Access blocked

    User sees a message: fix your device to regain access.

    Intune sends the user a notification explaining what needs to be fixed (e.g. "Update your OS to Windows 11 23H2").
    The honest take

    Pros and cons

    What works well

    • Included in M365 Business Premium. No additional licence cost. The question is whether it is switched on and configured.
    • Zero-touch setup (Autopilot and ADE). New devices configure themselves on first login. Saves hours of IT setup per device and eliminates manual errors.
    • BYOD without touching personal data. App protection policies protect work data on personal devices without enrolling them. Staff are far more willing to enrol when they know IT cannot see their photos.
    • Conditional Access integration. Combined with Entra ID, only healthy compliant devices can access Microsoft 365. Device health and identity security become one policy.
    • Remote wipe and selective wipe. A lost or stolen device is wiped in minutes from the portal. Selective wipe removes work data without affecting personal content.
    • Unified management across all platforms. One portal for Windows, macOS, iOS and Android. One set of policies, one compliance view, one place to manage every device.

    Where it falls short

    • Autopilot setup has prerequisites. Windows Autopilot requires hardware hashes uploaded to your tenant. For existing devices, run a brief script. For new devices, request Autopilot registration from your reseller.
    • Apple Business Manager must be set up before devices arrive. ADE only works for devices purchased after ABM is configured and linked. Devices already in hand require manual enrollment.
    • BYOD enrollment requires staff cooperation. You cannot force a staff member to enrol their personal device. A clear BYOD policy and honest communication about what Intune can see makes adoption much higher.
    • Policy management requires ongoing attention. Compliance and configuration policies need review as OS versions change, new device types are introduced, or security requirements evolve. Set-and-forget is not sustainable.
    • Linux is not fully supported. Intune has limited support for Linux devices. Businesses with Linux workstations need supplementary tooling.
    What it costs

    Pricing in real Perth dollars

    Microsoft Intune is available as part of Microsoft 365 Business Premium or as a standalone product. For most Perth SMBs, the Business Premium bundle is the most cost-effective path.

    Option Approximate AUD cost What you get
    Included in M365 Business Premium ≈ $37/user/month (full licence) Intune plus Entra ID P1, Defender for Business, Defender for Office 365, and the full Microsoft 365 productivity stack.
    Microsoft Intune Plan 1 (standalone) ≈ $9.90/user/month Intune device and app management only. No M365 productivity apps. For businesses that need MDM/MAM but are licensed elsewhere.
    Microsoft Intune Plan 2 (advanced) ≈ $14.30/user/month add-on Adds advanced endpoint management: tunnel, specialised device management, additional mobile threat defence integration. Most SMBs do not require Plan 2.

    For a 30-person business on Microsoft 365 Business Premium, Intune is already included in the $37/user/month licence. There is no additional cost to deploy it. The investment is in setup, configuration and ongoing management.

    Indicative figures only. Prices current as of May 2026 and subject to change. Confirm with your licensing partner before purchase.

    Real-world use cases

    Who gets the most from it

    Hybrid and remote teams

    When your team works from home, client sites and the office on any given day, you lose the physical security controls of a managed corporate network. Intune extends your security policies to every device regardless of location. A laptop on a home network gets the same compliance checks and policy enforcement as one in the office.

    Businesses onboarding staff regularly

    For businesses that hire frequently, manual device setup is a hidden cost. With Autopilot, a new Windows laptop ships directly to a new staff member, they log in, and the device configures itself. IT saves 2 to 4 hours per device. Onboarding 10 new staff in a quarter recovers 20 to 40 hours.

    Businesses with BYOD policies

    Personal devices connecting to Microsoft 365 are a significant and often unmanaged security risk. Intune's app protection policies set a clear security baseline for work apps on personal devices without managing the device itself. Staff get work email and Teams on their phone. The business gets confidence that work data stays in managed apps.

    Businesses with compliance requirements

    Many cyber insurance policies, client contracts and industry certifications now require documented device management. Intune provides a verifiable, auditable record of every enrolled device's compliance, configuration and software inventory. For businesses pursuing Essential Eight, ISO 27001 or SOC 2, Intune's compliance reporting is a significant asset.

    Businesses recovering from a device incident

    If you have had a device lost, stolen or compromised and had no way to remotely secure it or determine what data was on it, Intune directly addresses that gap. Remote wipe, encryption key escrow and device inventory mean the next incident has a very different outcome.

    Five moments every business faces

    What happens with and without Intune

    These are the five situations where device management either protects the business or exposes it. They happen in every organisation. The question is which column your business is in when they do.

    Situation Without Intune With Intune configured
    A new staff member starts on Monday IT manually sets up the laptop. Installs software, configures email, sets up VPN. Takes 2 to 4 hours. If done remotely, it is a lengthy phone call. Security settings depend entirely on the person doing the setup. The laptop was shipped directly to the staff member. They sign in with their Microsoft 365 credentials. Intune pushes all policies, installs approved apps and configures settings automatically. IT is notified when setup completes. No manual work required.
    A device leaves the building No visibility. You do not know if the laptop is encrypted, has current patches, or is running approved software. If it connects to a compromised home network, you will not know. Compliance policy shows device status in real time: encryption confirmed, OS current, no flagged apps. If the device falls out of compliance, Conditional Access blocks Microsoft 365 access until the issue is resolved.
    A staff member's phone is lost You call the staff member. You ask them to change their Microsoft 365 password. Work email may remain accessible on the device if found. Client data may be at risk. IT performs a selective wipe from the Intune portal: work email, Teams and OneDrive data are removed from the device. Personal photos and apps are untouched. The action completes the next time the device connects to the internet.
    A staff member leaves the company You disable their Microsoft 365 account. Their personal phone may still have cached work emails. Their laptop needs to be collected, manually wiped and re-imaged. Former staff occasionally retain access to shared files. IT retires the device from Intune: company data and apps are removed, the device is unenrolled. Personal devices are selectively wiped. BitLocker recovery key is revoked. The process takes minutes, not days.
    A security incident needs investigation You have no reliable record of what was on the device, what software was installed, or when it last connected. Investigation relies on what the staff member remembers. Intune's device inventory shows every enrolled device's hardware, OS version, installed apps, compliance history and last check-in. Defender for Business adds the full timeline. Investigation has a complete starting point.

    A new staff member starts on Monday

    Without Intune

    IT manually sets up the laptop. Installs software, configures email, sets up VPN. Takes 2 to 4 hours. If done remotely, it is a lengthy phone call. Security settings depend entirely on the person doing the setup.

    With Intune

    The laptop was shipped directly to the staff member. They sign in with their Microsoft 365 credentials. Intune pushes all policies, installs approved apps and configures settings automatically. IT is notified when setup completes. No manual work required.

    A device leaves the building

    Without Intune

    No visibility. You do not know if the laptop is encrypted, has current patches, or is running approved software. If it connects to a compromised home network, you will not know.

    With Intune

    Compliance policy shows device status in real time: encryption confirmed, OS current, no flagged apps. If the device falls out of compliance, Conditional Access blocks Microsoft 365 access until the issue is resolved.

    A staff member's phone is lost

    Without Intune

    You call the staff member. You ask them to change their Microsoft 365 password. Work email may remain accessible on the device if found. Client data may be at risk.

    With Intune

    IT performs a selective wipe from the Intune portal: work email, Teams and OneDrive data are removed from the device. Personal photos and apps are untouched. The action completes the next time the device connects to the internet.

    A staff member leaves the company

    Without Intune

    You disable their Microsoft 365 account. Their personal phone may still have cached work emails. Their laptop needs to be collected, manually wiped and re-imaged. Former staff occasionally retain access to shared files.

    With Intune

    IT retires the device from Intune: company data and apps are removed, the device is unenrolled. Personal devices are selectively wiped. BitLocker recovery key is revoked. The process takes minutes, not days.

    A security incident needs investigation

    Without Intune

    You have no reliable record of what was on the device, what software was installed, or when it last connected. Investigation relies on what the staff member remembers.

    With Intune

    Intune's device inventory shows every enrolled device's hardware, OS version, installed apps, compliance history and last check-in. Defender for Business adds the full timeline. Investigation has a complete starting point.

    In practice

    What Intune looks like day-to-day

    For most staff members, Intune is invisible. That is the correct outcome. Device management should work in the background, not add friction to everyday work.

    Who Their experience
    A staff member on a managed Windows laptop Their laptop arrived pre-configured. They see a 'This device is managed by your organisation' message in Windows Settings. Apps they need are already installed or available in the Company Portal. They work normally.
    A staff member using their personal phone for work They installed the Company Portal app, enrolled their device in a five-minute process, and now have access to work email and Teams. They see a separate 'work' section in their apps. Their personal photos and messages are not visible to IT.
    An IT manager or MSP The Intune admin centre shows a real-time dashboard of all enrolled devices, compliance status and any devices that have fallen out of compliance. Software deployment, policy changes and remote actions are all managed from one portal.
    StartCloud (managed deployment) StartCloud monitors compliance status, manages policy updates as Microsoft releases new security baselines, handles enrollment issues and reports monthly on device health and compliance rates.
    A staff member whose device is non-compliant They see a notification that their device needs attention: update your OS, enable encryption, or similar. Microsoft 365 access may be restricted until the issue is resolved, with a clear message explaining what needs to be fixed.
    How StartCloud deploys Intune

    From zero visibility to full device management

    A well-deployed Intune environment requires careful sequencing. Deploying compliance policies before enrollment is complete, or enforcing Conditional Access before staff have had time to enrol their devices, creates unnecessary disruption. Here is how StartCloud approaches it.

    Step 1. Licence confirmation and device audit

    We confirm your Microsoft 365 Business Premium licence and conduct a device audit: how many devices exist, which OS versions they run, which are company-owned versus personal, and which already have management software installed. This shapes the enrollment strategy.

    Step 2. Autopilot setup for Windows devices

    For existing Windows devices, we extract hardware hashes and register them with Autopilot. For new devices, we work with your reseller to enable Autopilot registration at the point of purchase. We configure the out-of-box experience profile so devices configure themselves on first login.

    Step 3. Apple Business Manager setup

    We link your Apple Business Manager account to your Intune tenant and configure Automated Device Enrollment for future Apple purchases. For existing Apple devices not eligible for ADE, we use the Company Portal enrollment process.

    Step 4. Compliance and configuration policies

    We configure compliance policies aligned to your security baseline: minimum OS versions, encryption requirements, screen lock settings and app restrictions. Configuration profiles push WiFi, VPN, email and security baselines automatically.

    Step 5. BYOD policy and staff communication

    We draft a BYOD policy explaining what Intune can and cannot see on personal devices, configure app protection policies for Outlook, Teams and OneDrive, and prepare staff communication explaining how to enrol and why it benefits them.

    Step 6. Conditional Access enforcement (staged rollout)

    Conditional Access policies requiring a compliant device are introduced in report-only mode first, so we can see what would be blocked without actually blocking anyone. Once all active users have enrolled compliant devices, we switch to enforcement. This staged approach prevents legitimate staff from losing access mid-rollout.

    Watch out

    Common pitfalls

    • Enforcing Conditional Access before enrollment is complete. If you require a compliant device before staff have had time to enrol, you lock people out of their email and Teams. Always complete enrollment before enforcing Conditional Access.

    • Forgetting about Apple Business Manager lead time. ADE only applies to devices purchased after ABM is configured and linked to Intune. Devices already in your hands need manual enrollment. Plan ABM setup well before your next device purchase.

    • Not communicating the BYOD policy clearly. Staff who do not understand what 'managed' means on their personal device will not enrol. A short, plain-English explanation of what IT can and cannot see dramatically improves enrollment rates.

    • Deploying compliance policies that flag most devices as non-compliant immediately. If your policy requires Windows 11 22H2 and half your fleet is on 21H2, you will generate a wave of alerts on day one. Baseline your fleet before setting compliance thresholds.

    • Not setting up BitLocker key escrow. BitLocker protects data on encrypted Windows devices, but if the recovery key is not escrowed in Entra ID via Intune, a forgotten password means permanent data loss. Configure key escrow before enabling BitLocker.

    • Treating Intune as set-and-forget. Compliance policies need updating as new OS versions are released. App protection policies need review when new apps are added to the M365 stack. Assign someone responsibility for quarterly Intune policy reviews.

      Our Managed Security service provides this ongoing oversight.

    The verdict

    Should your business deploy Intune?

    Yes, particularly if your team works remotely or from multiple locations, you have staff using personal devices for work, or you have grown beyond the point where someone manually sets up every device.

    The core argument for Intune is simple: you cannot protect what you cannot see. Most Perth SMBs have a reasonably clear picture of their servers and network equipment. They have very little visibility into the devices their staff are using to access company data every day. Intune changes that.

    The investment is in setup and configuration, not in licensing (if you are already on Microsoft 365 Business Premium). A properly deployed Intune environment gives you real-time device visibility, automated compliance enforcement, zero-touch device setup, and the ability to respond to a lost or stolen device in minutes rather than days.

    Can't see your devices?

    Not sure which devices in your business are managed, encrypted or compliant? StartCloud audits your Microsoft 365 environment and deploys Intune across your team, Windows, Mac and personal devices included.

    Book a device health check

    No obligation. Straight answers. Perth-based team.

    Sources

    References

    1. Microsoft Intune product page
      https://www.microsoft.com/en-au/security/business/microsoft-intune
    2. Microsoft Intune documentation
      https://learn.microsoft.com/en-us/mem/intune/
    3. Windows Autopilot overview
      https://learn.microsoft.com/en-us/autopilot/windows-autopilot
    4. App protection policies in Microsoft Intune
      https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policy
    5. Conditional Access and Intune device compliance
      https://learn.microsoft.com/en-us/mem/intune/protect/conditional-access
    6. Apple Business Manager and Automated Device Enrollment
      https://support.apple.com/en-au/guide/apple-business-manager/welcome/web
    7. Microsoft Intune Plan 1 vs Plan 2 comparison
      https://learn.microsoft.com/en-us/mem/intune/fundamentals/intune-overview

    Document prepared May 2026 by StartCloud (Start Technologies Pty Ltd). Pricing and feature information is indicative only and current as of the date of preparation. Microsoft licensing changes frequently, so confirm with your licensing partner before any purchase decision.

    StartCloud Assistant

    Online

    G'day! 👋 I'm the StartCloud Assistant. How can I help you today?