Intune Stand-Alone and Hybrid Comparison

Intune Stand-Alone and Hybrid Comparison
5 (100%) 4 votes

Hi All,

have you ever need to compare what Intune Stand-Alone and Hybrid can do for you? there are lots of information out there, but none (as far as my research goes), did a comparison between the settings. it is easy to say if you have over 50k devices, you should consider the hybrid scenario (where sccm connects to intune), but if you’re lower than that number? Should you consider Intune Stand-Alone or Hybrid?

In his blog post i’ll try to provide you some of the key points and providing a winner (in my opinion). In this post i’m only looking at the MDM solution for iOS and Android Knox comparison and not every single feature that both solutions can provide.

Before we start, I’ve focused on the version 1511 of the SCCM with some notes of what available on the 1602 and the latest version of intune, and I have lots of copy/past (specially on the tables), so if there is anything that is not in the correct place, let me know and i’ll be happy to update the post.

Also, as you’ll see, there is a gap between the technologies, sometimes intune has more settings available than hybrid, other times SCCM seems better than intune. Microsoft is working hard to close this gap, it means that most (if not all) features/options/settings you see on the hybrid will soon be added to intune stand-alone as well as hybrid is being upgraded to get all features/options/settings that is available in the stand-alone. I hope this gap will be closed in the next few SCCM/Intune updates.

So, lets start, shall we?

1 – Choose between Intune stand-alone and hybrid
I put a list together that will help you to choose the correct path. I imagine that this list can be extended, but the focus of the technology stands. SCCM (Hybrid), can manage non-domain machines, but the focus is a domain-joined machine, so you’ll not see this on the hybrid. same for stand-alone, non-domain-joined computers is the focus, so you’ll not see the domain-joined on the list. It does not mean that you cannot managed them, it is just not the focus of the technology.

Stand-Alone
Manage mobile devices
Manage non-domain-joined computers
Manage less than 50,000 devices
Limited or no IT infrastructure
Exchange Active Sync or Active Directory Synchronization can be used
mobile or highly distributed workforce
Active Directory is already synchronized with AzureAD

Hybrid
Manage mobile devices
Manage domain-joined computers
Manage Servers
Manage computers with SCCM client
Manage more than 50,000 devices
SCCM is already being used
Active Directory is already synchronized with AzureAD

2 – Unified administration with Desktop and Servers
When using Intune Stand-Alone, there is no unified administration, Intune does not manage Servers (Windows and Linux), it means the administrator will have to use two different consoles to perform the set-up, day-to-day administration and reporting.

Recommendation: hybrid

3 – Reporting
Intune Stand-Alone does not provide a massive number of reports, it is about 10 in total and the only customization that can be performed are the parameters that may be required, depending on the report while hybrid environment, you will have access to over 50 reports for MDM specific and are able to create new reports.

Recommendation: hybrid

4 – Supported Devices
The List of supported Devices are the same, supporting iOS 7.1+ and Google Android 4.0 and later (including Samsung KNOX).

Recommendation: draw

5 – Bulk Enrolment
By default, enrolment in both Intune Stand-alone and hybrid are restricted to a number of devices per user. Bulk enrolment allows the usage of a generic account by the IT department, so the device will be enrolled by the IT department instead of the user. Typical examples of use are public devices, kiosk devices, common devices for students etc. A user added to the Device enrolment manager has the rights to enrol more than five devices. Intune Stand-Alone and hybrid allows Bulk Enrolment.

Recommendation: draw

6 – Maximum managed device count
Intune Stand-Alone supports up to 50,000 devices while SCCM support a total of 175,000 total clients and devices, that not to exceed 150,000 cloud-based devices.

7 – On-premises infrastructure required
Intune Stand-Alone does not require any infrastructure while hybrid will require an infrastructure.

Recommendation: Stand-alone

8 – Extensible and customizable
Intune Stand-Alone does not provide a way to perform any customization while hybrid allows you to extend reports, inventory, custom actions, automation of tasks as well as install 3rd party solution.

Recommendation: hybrid

9 – Simple web Console accessible from anywhere
Intune Stand-Alone is accessible via a Web browser and can be used anywhere in the world with an internet connectivity. Hybrid uses its own console that needs to be installed and a connection to SMS Provider is require.

Recommendation: stand-alone

10 – Retire and wipe devices
Intune Stand-Alone and hybrid supports Retire and Wipe devices.

Recommendation: draw

11 – Application deployment
Intune Stand-Alone allow deployment of an app to a user or device. If the application should be available to multiple devices, multiple apps (one per platform), multiple deployments should be created. Hybrid is different, it uses the SCCM application model, where it is possible to manage a single app while having multiple types, one per platform. It is also allowing the IT admin to manage the whole life-cycle of an application.

Recommendation: hybrid

12 – Security
Intune Stand-Alone has a total of 4 security rights that cannot be customized while in the hybrid environment it can be customized, allowing users to perform only specific tasks.

Recommendation: hybrid

13 – Platform Restrictions
Intune Stand-alone by default allow support for Android and this support cannot be disabled. Support for iOS can be added. In the hybrid mode, support per platform can be enabled and all platforms are disabled by default.

Recommendation: hybrid

14 – Enrolment Rules
Intune Stand-Alone and hybrid support users to enrol multiple devices. IT admin can allow user to enrol between 1 and 5 devices, 5 being the maximum number.

Recommendation: draw

15 – Company Portal
Intune Stand-Alone and hybrid support customization of the Company Portal with Company Name, IT Contact Name/Email, Logo, colours, etc.

Recommendation: draw

16 – Terms and Conditions
Intune Stand-Alone and hybrid support multiple Terms and Conditions that needs to be accepted by the end-user when connecting to the Company Portal.

Recommendation: draw

17 – Device Enrolment Manager
Intune Stand-Alone and hybrid support multiple Device Enrolment manager.

Recommendation: draw

18 – Device Groups
Intune Stand-alone allows creation of groups based on a limited number of filters that can be all devices included on the parent group, all devices managed by Intune, all devices managed by Exchange, an empty group or a direct membership information. Hybrid allows a group to be created based on almost any information that SCCM holds, including device type, OS name/version, etc.

Recommendation: hybrid

19 – User Groups
Intune Stand-alone allows creation of groups based on a limited number of filters that can be All users included on the parent group, users that are part of specific groups, users that have specific managers, exclusions based on groups and managers or a direct membership information. Hybrid allows a group to be created based on almost any information that SCCM holds, including department, manager, OU location, etc.

Recommendation: hybrid

20 – Corporate Device Enrolment
Intune Stand-Alone and hybrid allows Corporate Device Enrolment for iOS (on hybrid it is called Enrolment Policies) with the only difference is that Intune Stand-Alone allows assign devices to a specific group.

Recommendation: draw

Note: it was decided that this feature has no ‘winner’ as Intune Stand-Alone does not provide a great Group Management capability while hybrid can provide more in-depth and dynamic group management via collections.

21 – Application Management Policies
Intune Stand-Alone and hybrid allows Application Management Policies for Managed Browser and other apps for both iOS and Android with same settings.

Recommendation: draw

22 – Exchange Conditional Access
Intune Stand-Alone and hybrid allows Conditional Access for Exchange online (including Office 365) and Exchange on-premises with same settings.

Recommendation: draw

23 – SharePoint Online Conditional Access
Intune Stand-Alone and hybrid allows Conditional Access for SharePoint Online with same settings.

Recommendation: draw

24 – Skype for Business Online Conditional Access
Intune Stand-Alone and hybrid allows Conditional Access for Skype for Business Online with same settings.

Recommendation: draw

25 – Email Profile
Intune Stand-Alone and hybrid allows E-mail profile. Hybrid allows not only UPN or Primary SMTP Address, but also allows creating a custom format (defined by the IT admin) or obtain from Active Directory.

Recommendation: hybrid

26 – VPN Profile
Intune Stand-Alone and hybrid allows E-mail profile. Intune allow configuration for Cisco AnyConnect, Pulse Secure, F5 Edge Client, Dell SonicWALL Mobile Connect, Check Point Capsule VPN or Custom (only for iOS) while hybrid allow configuration for Cisco AnyConnect, Pulse Secure, F5 Edge Client, Dell SonicWALL Mobile Connect, Check Point Capsule VPN and PPTP (only for iOS).

Recommendation: draw

27 – Wi-Fi Profile
Intune Stand-Alone and hybrid allows Wi-Fi profile. Intune allow configuration for WPA-Enterprise or WPA2-Enterprise only while hybrid allow configuration for No authentication (Open), WPA – Personal, WPA – Enterprise, WAP2 – Personal, WPA2 – Enterprise, WEP and 802.1X.

Recommendation: hybrid

28 – Compliance Policies

Policy Setting Stand-Alone Hybrid
Require password to unlock devices Y Y
Allow simple password Y Y
Minimum password length Y Y
Password type Y N
Password type – minimum number of character sets Y N
Password quality Y N
Minutes of inactivity Y N (available on SCCM CB 1602)
Password expiration Y N
Remember password history Y N
Require a password to unlock an idle device Y N (available on SCCM CB 1602)
Require encryption on mobile device Y Y
Email account must be managed by Intune Y Y
Device must not be jailbroken or rooted Y Y
Minimum operating system version< Y Y
Maximum operating system version Y Y

Recommendation: stand-alone

29 – Configuration Policies (Android)

Policy Setting Stand-Alone Hybrid
Require a password to unlock mobile devices Y Y
Minimum password length Y Y
Number of repeated sign-in failures to allow before the device is wiped Y Y
Password expiration Y Y
Password quality Y Y
Allow fingerprint unlock Y N
Allow Smart Lock and other trust agents Y N
Require encryption on mobile devices Y Y
Require encryption on storage cards Y N
Allow screen capture Y N
Allow diagnostic data submission Y N
Allow factory reset Y Y
Allow google backup Y Y
Allow google account auto sync Y Y
Allow web browser Y N
Allow autofill Y N
Allow pop-up browser Y N
Allow cookies Y N
Allow active scripting Y N
Allow google play store Y N
Allow camera Y Y
Allow removable storage Y N
Allow Wi-Fi Y N
Allow Wi-Fi tethering Y N
Allow geolocation Y N
Allow NFC Y N
Allow Bluetooth Y N
Allow power off Y Y
Allow voice roaming Y N
Allow data roaming Y N
Allow SMS/MMS messaging Y N
Allow voice assistant Y N
Allow voice dialling Y N
Allow copy and paste Y N
Allow clipboard share between applications Y Y
Allow YouTube Y N
Managed Settings for Android (White List/Black List) Y Y
Select a managed app that will be allowed to run when the device is in kiosk mode Y Y
Allow volume buttons Y Y
Allow screen sleep wake button Y Y

Recommendation: stand-alone

30 – Configuration Policies (iOS)

Policy Setting Stand-Alone Hybrid
Require a password to unlock mobile devices Y Y
Required password type Y N
Number of complex characters required in password Y Y
Minimum password length Y Y
Allow simple password Y Y
Number of repeated sign-in failures to allow before the device is wiped Y Y
Minutes of inactivity before password is required Y N (available on SCCM CB 1602)
Password expiration Y Y
Remember password history Y Y
Minutes of inactivity before screen turns off Y N
Allow fingerprint unlock Y Y
Rating Region N Y
Movie rating N Y
TV Show rating N Y
App rating N Y
Allow screenshot Y Y
Allow control center in lock screen Y Y
Allow notification view Y Y
Allow today view Y Y
Allow untrusted TLS certificates prompt Y Y
Allow diagnostic data submission Y Y
Allow passbook while locked Y Y
Allow backup to iCloud Y Y
Allow document sync to iCloud Y Y
Allow Photo Stream sync to iCloud Y Y
Require encrypted backup Y Y
Allow Safari Y Y
Allow autofill Y Y
Allow Plug-ins N N (available on SCCM CB 1602)
Allow pop-up blocker Y Y
Allow cookies Y Y
Allow Java scripting Y Y
Allow fraud warning Y Y
Allow application store Y Y
Require a password to access application store Y Y
Allow in-app purchases Y Y
Allow managed documents in other unmanaged apps Y Y
Allow unmanaged documents in other managed apps Y Y
Allow video conferencing Y Y
Allow adult content in media store Y Y
Allow adding game center friends Y Y
Allow multiplayer gaming Y Y
Allow camera Y Y
Allow voice roaming Y Y
Allow data roaming Y Y
Allow global background fetch while roaming Y Y
Allow Siri Y Y
Allow Siri while device is locked Y Y
Allow voice Y Y
Managed Settings for Android (White List/Black List) Y Y
Select a managed app that will be allowed to run while device is in kiosk mode Y Y
Allow touch Y Y
Allow screen rotation Y Y
Allow volume Y Y
Allow ringer switch Y Y
Allow screen sleep wake button Y Y
Allow auto lock Y Y
Enable mono audio Y Y
Enable voice over Y Y
Enable Zoon Y Y
Enable invert colors Y Y
Enable assistive touch Y Y
Enable speech selection Y Y
Allow activation lock when the device is in supervised mode Y N (available on SCCM CB 1602)

Recommendation: hybrid

31 – OMA-DM and OMA-URI
OMA Device Management is a device management protocol that is used by all MDM solutions and iOS and Android allow usage of the OMA-DM API to manage devices. OMA-URI allow specify configurations that are not available via the console. Intune Stand-Alone and hybrid allows OMA extensions.

Recommendation: draw

32 – Alerts
When using the Intune Stand-Alone, there are a set of pre-defined alerts that can be view on the console. You can enable or disable the alert and configure its severity, however, this setting is a global setting and is not applicable to individual items.
Hybrid has a more granular approach where you can enable or disabled the alerts based on its deployment as well as you can set a percentage of failures before generating an alert, useful when you have a large environment.

Recommendation: hybrid

33 – Notification
Alerts can be view on the console as well as being sent by e-mail. When using the Intune Stand-Alone, you can create notification rules where specific alert types of severity can be sent to a group of recipients while other alert type or severity can be sent to another group of recipients. Hybrid has a single approach, once the alert is generated and a subscription was enabled, the alert will be sent to a designed e-mail address. There is no filter of what alert will be sent, it is just case of on/off and what recipient will receive the alert. The recipient is a single e-mail address.

Recommendation: stand-alone

34 – Policy Refresh Interval
When a policy or app is deployed, hybrid environment takes up to 5 minutes to sync the information to the Intune infrastructure. This connection is managed by the Service Connection point over the port TCP 443 to the *manage.microsoft.com address.
Once the data is available on the Intune infrastructure (or in an Intune Stand-Alone environment), it immediately begins attempting to notify the device that it should check-in with the Intune service. This typically takes less than 5 minutes.
If a device doesn’t check in to get policy after the first notification is sent, 3 more attempts are made. If the device is offline (i.e., powered off, with internet connectivity) then it might not receive the notifications.
In this case, the device will get policy on its next scheduled check-in with the Intune service as follows:

  • iOS – Every 6 hours
  • Android – Every 8 hours
  • If the device has just enrolled the check-in frequency will be more frequent as follows:

  • iOS – Every 15 minutes for 6 hours and then every 6 hours
  • Android – Every 3 minutes for 15 minutes then every 15 minutes for 2 hours, and then every 8 hours
  • Users can also launch the Company Portal app and sync the device to immediately check for policy anytime.

    Recommendation: draw

    Tags:

    Comments are closed.
    %d bloggers like this: